d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25/04/2023, 20:18

230425-y3j7yscg23 10

Analysis

max time kernel
489s
max time network
494s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executables/AtlasModules/Scripts/setSvc.cmd
Size

2KB
MD5

a7d3e4ffbb7206374740a5e348ca2380
SHA1

6b15231dbb2444198faf876ce420ebff9961383e
SHA256

be86445c1f6e88a1c4a1df2c457ced5157c3d712d176011dfaee662403f70b22
SHA512

4183c4c47720232592d0e73fd57373ff7ef69279f93b65cc208db72d89b427435517acbe62ab34005d7de156b172f492cc78437f3a808318f9c3748718b81390

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1224 created 672	1224	powershell.exe	3

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4924	sc.exe
404	sc.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\.Default"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\S-1-5-21-144354903-2550862337-1367551827-1000"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1452	powershell.exe
1452	powershell.exe
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
1872	powershell.exe
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	whoami.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1476	whoami.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	4172	whoami.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeDebugPrivilege	3368	whoami.exe
Token: SeSecurityPrivilege	1872	powershell.exe
Token: SeTakeOwnershipPrivilege	1872	powershell.exe
Token: SeBackupPrivilege	1872	powershell.exe
Token: SeRestorePrivilege	1872	powershell.exe
Token: SeDebugPrivilege	4592	whoami.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1548	960	cmd.exe	84
PID 960 wrote to memory of 1548	960	cmd.exe	84
PID 960 wrote to memory of 2432	960	cmd.exe	85
PID 960 wrote to memory of 2432	960	cmd.exe	85
PID 960 wrote to memory of 1500	960	cmd.exe	86
PID 960 wrote to memory of 1500	960	cmd.exe	86
PID 960 wrote to memory of 1452	960	cmd.exe	87
PID 960 wrote to memory of 1452	960	cmd.exe	87
PID 1452 wrote to memory of 1476	1452	powershell.exe	88
PID 1452 wrote to memory of 1476	1452	powershell.exe	88
PID 1452 wrote to memory of 1224	1452	powershell.exe	89
PID 1452 wrote to memory of 1224	1452	powershell.exe	89
PID 1224 wrote to memory of 4172	1224	powershell.exe	91
PID 1224 wrote to memory of 4172	1224	powershell.exe	91
PID 1224 wrote to memory of 4924	1224	powershell.exe	92
PID 1224 wrote to memory of 4924	1224	powershell.exe	92
PID 1224 wrote to memory of 404	1224	powershell.exe	93
PID 1224 wrote to memory of 404	1224	powershell.exe	93
PID 1224 wrote to memory of 1872	1224	powershell.exe	94
PID 1224 wrote to memory of 1872	1224	powershell.exe	94
PID 1872 wrote to memory of 3368	1872	powershell.exe	96
PID 1872 wrote to memory of 3368	1872	powershell.exe	96
PID 1872 wrote to memory of 5064	1872	powershell.exe	99
PID 1872 wrote to memory of 5064	1872	powershell.exe	99
PID 5064 wrote to memory of 4592	5064	cmd.exe	102
PID 5064 wrote to memory of 4592	5064	cmd.exe	102
PID 5064 wrote to memory of 2608	5064	cmd.exe	101
PID 5064 wrote to memory of 2608	5064	cmd.exe	101

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -win 1 -nop -c iex $env:R; # RunAsTI
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\system32\find.exe
      find /i "S-1-5-18"
      4⤵
      PID:2608
  - - C:\Windows\system32\whoami.exe
      whoami /user
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\whoami.exe
  whoami /user
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\system32\find.exe
  find /i "S-1-5-18"
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( FOR %I in ("C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd" "C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd" "") do @ echo(%~I )"
  2⤵
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoProfile -Command "$argv = $input | ?{$_}; iex (${C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\RunAsTI.cmd} | out-string)"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 -nop -c $cmd='C:\Users\Admin\AppData\Local\Temp\Executables\AtlasModules\Scripts\setSvc.cmd'; $arg=''; $id='RunAsTI'; $key='Registry::HKU\S-1-5-21-144354903-2550862337-1367551827-1000\Volatile Environment'; $env:R=(gi $key -ea 0).getvalue($id)-join''; iex $env:R
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\whoami.exe
      "C:\Windows\system32\whoami.exe" /groups
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:4924
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start lsass
      4⤵
      Launches sc.exe
      PID:404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb4d127b8a6f84a1cee423c5e3e3a51d

SHA1
c55263a8ff097067f2393ce2120801a445fd1949

SHA256
d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514

SHA512
45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c3a1483b2d9a9e31f71d9919057469c

SHA1
80dadf7a991d50c4781317aa8af75d0d9824cee6

SHA256
f3c85953c8b8b2baea05749bf784646266fa7f60b886247632fa304e21166ee2

SHA512
c28907190c17aa0ad8cd3202a464ef4018f4ba44aceb3dc0a2b3ec0ece3e13d19ca3aab67ec295226d80891fcca6af465a94c8c0fc68f36da7cae11bfa74fd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oistqcef.ubq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1224-161-0x0000020520CE0000-0x0000020520CF0000-memory.dmp

Filesize
64KB

Download
memory/1224-162-0x0000020520CE0000-0x0000020520CF0000-memory.dmp

Filesize
64KB

Download
memory/1452-144-0x000002274C110000-0x000002274C120000-memory.dmp

Filesize
64KB

Download
memory/1452-145-0x000002274C110000-0x000002274C120000-memory.dmp

Filesize
64KB

Download
memory/1452-143-0x000002274C110000-0x000002274C120000-memory.dmp

Filesize
64KB

Download
memory/1452-133-0x000002274E200000-0x000002274E222000-memory.dmp

Filesize
136KB

Download
memory/1872-175-0x00000113A6080000-0x00000113A6090000-memory.dmp

Filesize
64KB

Download
memory/1872-176-0x00000113A6080000-0x00000113A6090000-memory.dmp

Filesize
64KB

Download
memory/1872-174-0x00000113A6080000-0x00000113A6090000-memory.dmp

Filesize
64KB

Download