ammyyadmin | 94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6Js1.exe
Size

618KB
MD5

3f6d5376b6d40c82644287c7621dfc5b
SHA1

f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
SHA256

94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
SHA512

3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c
SSDEEP

12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL

Score

10^/10

ammyyadmin smokeloader backdoor bootkit collection evasion persistence rat trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000016c76-210.dat	family_ammyyadmin
behavioral1/files/0x0007000000016c76-207.dat	family_ammyyadmin
behavioral1/files/0x0007000000016c76-205.dat	family_ammyyadmin
behavioral1/files/0x0007000000016c76-212.dat	family_ammyyadmin
behavioral1/files/0x0007000000016c76-211.dat	family_ammyyadmin

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

DE70.exe

description	pid	Process	procid_target
PID 2528 created 1236	2528	DE70.exe	10
PID 2528 created 1236	2528	DE70.exe	10
PID 2528 created 1236	2528	DE70.exe	10
PID 2528 created 1236	2528	DE70.exe	10
PID 2528 created 1236	2528	DE70.exe	10
PID 2528 created 1236	2528	DE70.exe	10

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid	Process
1236	Explorer.EXE

Executes dropped EXE 2 IoCs

Processes:

DE70.exesvchost.exe

pid	Process
2528	DE70.exe
2932	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

Explorer.EXEexplorer.exetaskeng.exe

pid	Process
1236	Explorer.EXE
440	explorer.exe
440	explorer.exe
1680	taskeng.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

svchost.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6Js1.exeDE70.exe

description	pid	Process	procid_target
PID 2260 set thread context of 324	2260	6Js1.exe	28
PID 2528 set thread context of 2396	2528	DE70.exe	58

Drops file in Program Files directory 1 IoCs

Processes:

DE70.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	DE70.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid	Process
1796	sc.exe
964	sc.exe
284	sc.exe
1548	sc.exe
1844	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6Js1.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6Js1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6Js1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6Js1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6Js1.exe6Js1.exeExplorer.EXE

pid	Process
2260	6Js1.exe
324	6Js1.exe
324	6Js1.exe
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
1236	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

6Js1.exeExplorer.EXEexplorer.exe

pid	Process
324	6Js1.exe
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
440	explorer.exe
440	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

6Js1.exepowershell.exedialer.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exe

description	pid	Process
Token: SeDebugPrivilege	2260	6Js1.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2396	dialer.exe
Token: SeShutdownPrivilege	1332	powercfg.exe
Token: SeShutdownPrivilege	2832	powercfg.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeShutdownPrivilege	1760	powercfg.exe
Token: SeShutdownPrivilege	2340	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid	Process
2932	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6Js1.exeExplorer.EXE

description	pid	Process	procid_target
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 2260 wrote to memory of 324	2260	6Js1.exe	28
PID 1236 wrote to memory of 2528	1236	Explorer.EXE	31
PID 1236 wrote to memory of 2528	1236	Explorer.EXE	31
PID 1236 wrote to memory of 2528	1236	Explorer.EXE	31
PID 1236 wrote to memory of 2608	1236	Explorer.EXE	32
PID 1236 wrote to memory of 2608	1236	Explorer.EXE	32
PID 1236 wrote to memory of 2608	1236	Explorer.EXE	32
PID 1236 wrote to memory of 2608	1236	Explorer.EXE	32
PID 1236 wrote to memory of 2608	1236	Explorer.EXE	32
PID 1236 wrote to memory of 2004	1236	Explorer.EXE	33
PID 1236 wrote to memory of 2004	1236	Explorer.EXE	33
PID 1236 wrote to memory of 2004	1236	Explorer.EXE	33
PID 1236 wrote to memory of 2004	1236	Explorer.EXE	33
PID 1236 wrote to memory of 1732	1236	Explorer.EXE	34
PID 1236 wrote to memory of 1732	1236	Explorer.EXE	34
PID 1236 wrote to memory of 1732	1236	Explorer.EXE	34
PID 1236 wrote to memory of 1732	1236	Explorer.EXE	34
PID 1236 wrote to memory of 1732	1236	Explorer.EXE	34
PID 1236 wrote to memory of 2192	1236	Explorer.EXE	35
PID 1236 wrote to memory of 2192	1236	Explorer.EXE	35
PID 1236 wrote to memory of 2192	1236	Explorer.EXE	35
PID 1236 wrote to memory of 2192	1236	Explorer.EXE	35
PID 1236 wrote to memory of 2192	1236	Explorer.EXE	35
PID 1236 wrote to memory of 2444	1236	Explorer.EXE	36
PID 1236 wrote to memory of 2444	1236	Explorer.EXE	36
PID 1236 wrote to memory of 2444	1236	Explorer.EXE	36
PID 1236 wrote to memory of 2444	1236	Explorer.EXE	36
PID 1236 wrote to memory of 2444	1236	Explorer.EXE	36
PID 1236 wrote to memory of 1120	1236	Explorer.EXE	37
PID 1236 wrote to memory of 1120	1236	Explorer.EXE	37
PID 1236 wrote to memory of 1120	1236	Explorer.EXE	37
PID 1236 wrote to memory of 1120	1236	Explorer.EXE	37
PID 1236 wrote to memory of 2412	1236	Explorer.EXE	38
PID 1236 wrote to memory of 2412	1236	Explorer.EXE	38
PID 1236 wrote to memory of 2412	1236	Explorer.EXE	38
PID 1236 wrote to memory of 2412	1236	Explorer.EXE	38
PID 1236 wrote to memory of 2412	1236	Explorer.EXE	38
PID 1236 wrote to memory of 1636	1236	Explorer.EXE	39
PID 1236 wrote to memory of 1636	1236	Explorer.EXE	39
PID 1236 wrote to memory of 1636	1236	Explorer.EXE	39
PID 1236 wrote to memory of 1636	1236	Explorer.EXE	39
PID 1236 wrote to memory of 1996	1236	Explorer.EXE	40
PID 1236 wrote to memory of 1996	1236	Explorer.EXE	40
PID 1236 wrote to memory of 1996	1236	Explorer.EXE	40
PID 1236 wrote to memory of 1996	1236	Explorer.EXE	40
PID 1236 wrote to memory of 1996	1236	Explorer.EXE	40
PID 1236 wrote to memory of 1504	1236	Explorer.EXE	41
PID 1236 wrote to memory of 1504	1236	Explorer.EXE	41
PID 1236 wrote to memory of 1504	1236	Explorer.EXE	41
PID 1236 wrote to memory of 1504	1236	Explorer.EXE	41
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	42
PID 1236 wrote to memory of 1800	1236	Explorer.EXE	43
PID 1236 wrote to memory of 1800	1236	Explorer.EXE	43
PID 1236 wrote to memory of 1800	1236	Explorer.EXE	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1084
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2828
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2756
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:364
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:288
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  PID:840
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {C004E350-5539-409F-9607-16262BCF4EC5} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:1680
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      PID:1584
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\6Js1.exe
  "C:\Users\Admin\AppData\Local\Temp\6Js1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\6Js1.exe
    C:\Users\Admin\AppData\Local\Temp\6Js1.exe
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:324
- C:\Users\Admin\AppData\Local\Temp\DE70.exe
  C:\Users\Admin\AppData\Local\Temp\DE70.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:2528
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:2608
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2004
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1732
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2192
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2444
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1120
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2412
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1636
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1996
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1504
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1312
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2180
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1592
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe -debug
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    PID:2932
  - - C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:2804
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1772
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1548
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1844
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1796
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:964
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:284
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2236
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqltdrz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2136
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1868

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1923914430-1352908955-10519928618213002191769091543359304054506151749-1173518424"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-239579116-170976681-731918524334289605-686074165110564400-13998090012092511939"
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
1.5MB

MD5
707a543b7ddef8645b2676925c9393dc

SHA1
3cfe7f95157ecaacc42ebb21f063f27f82c31bbc

SHA256
16c1688b18e1d0cbb35c699e6a0a8142695f3fffdbc560720df686b32fdf4f71

SHA512
7e862d4df4701fec5aa23540ac608d7705ceb7d6f2d548fe7bcb0313be8405597acf10c9142114dc8c3574fde4d4fd9a90ad5881c578aaa7365d7fe16f53e59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCB1E.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE70.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE70.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB6F.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2AXR9M3W39FEQOKMUKPP.temp

Filesize
7KB

MD5
980cb2b4daf7e88d0c09ab1b77084d12

SHA1
df21ba9d1cf04bd93e9141254d9b796e6cf14030

SHA256
9d6d81e2de6a414a8e6a073a9e24aa3419bfab41d8209acb59a386acc5677922

SHA512
bf77e49c6c2bc9c0e3b69adb121da0961402e88f365084bff2e159811938435dc58698e3f5a3f4e785115273b84eee5317dff805fd011a5c2050dbf66537a9ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
980cb2b4daf7e88d0c09ab1b77084d12

SHA1
df21ba9d1cf04bd93e9141254d9b796e6cf14030

SHA256
9d6d81e2de6a414a8e6a073a9e24aa3419bfab41d8209acb59a386acc5677922

SHA512
bf77e49c6c2bc9c0e3b69adb121da0961402e88f365084bff2e159811938435dc58698e3f5a3f4e785115273b84eee5317dff805fd011a5c2050dbf66537a9ae

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
1.6MB

MD5
c0115d5fae1066606d696c270fbe5f42

SHA1
d1b715fe9deaa49486d415003c1a8dd1a1f8b20f

SHA256
d22f0fffe37909034512d9ad344265ff2bce9e33ba0af23a00ee85230a706425

SHA512
015742433118ab75a59b88e341131fa8cb7f2f65dc4068510299dc14e7dea50ccf7ff5cd973a11a01947e0987fccf42344471903710f1bbfce3377bd00aa7fc7

Download Submit
\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\1C66.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\DE70.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
memory/324-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/324-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/324-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/324-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/324-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/324-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/424-221-0x00000000007D0000-0x00000000007F7000-memory.dmp

Filesize
156KB

Download
memory/424-215-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/424-214-0x000007FEBD920000-0x000007FEBD930000-memory.dmp

Filesize
64KB

Download
memory/424-199-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/424-203-0x00000000007D0000-0x00000000007F7000-memory.dmp

Filesize
156KB

Download
memory/424-202-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/424-223-0x00000000774C1000-0x00000000774C2000-memory.dmp

Filesize
4KB

Download
memory/440-182-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/440-183-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/440-184-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/472-227-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/472-225-0x0000000000970000-0x0000000000997000-memory.dmp

Filesize
156KB

Download
memory/472-224-0x000007FEBD920000-0x000007FEBD930000-memory.dmp

Filesize
64KB

Download
memory/472-222-0x0000000000970000-0x0000000000997000-memory.dmp

Filesize
156KB

Download
memory/480-232-0x0000000000170000-0x0000000000197000-memory.dmp

Filesize
156KB

Download
memory/480-235-0x000007FEBD920000-0x000007FEBD930000-memory.dmp

Filesize
64KB

Download
memory/480-236-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/488-244-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/488-246-0x000007FEBD920000-0x000007FEBD930000-memory.dmp

Filesize
64KB

Download
memory/488-250-0x00000000374B0000-0x00000000374C0000-memory.dmp

Filesize
64KB

Download
memory/580-248-0x0000000000560000-0x0000000000587000-memory.dmp

Filesize
156KB

Download
memory/580-252-0x000007FEBD920000-0x000007FEBD930000-memory.dmp

Filesize
64KB

Download
memory/1120-137-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/1120-139-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/1120-138-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/1236-13-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/1312-155-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1312-153-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1312-157-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1504-151-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1504-149-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1504-188-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/1504-150-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/1592-179-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/1592-173-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/1636-145-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1636-144-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1636-167-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1668-195-0x000000001B090000-0x000000001B372000-memory.dmp

Filesize
2.9MB

Download
memory/1668-229-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/1668-200-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/1668-204-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1668-197-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1668-198-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1668-219-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/1732-130-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1732-128-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1732-142-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1732-129-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1800-162-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1800-161-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1800-242-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1800-160-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1976-170-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1976-172-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1976-181-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1976-169-0x000000001B040000-0x000000001B322000-memory.dmp

Filesize
2.9MB

Download
memory/1976-177-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1976-178-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1976-171-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1976-175-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1976-174-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-146-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1996-148-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2004-125-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/2004-127-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2004-126-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2180-176-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2180-180-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/2180-168-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2192-132-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2192-131-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2192-133-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2260-3-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2260-5-0x00000000006A0000-0x00000000006EC000-memory.dmp

Filesize
304KB

Download
memory/2260-12-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-4-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/2260-2-0x0000000000460000-0x00000000004A2000-memory.dmp

Filesize
264KB

Download
memory/2260-1-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2260-0-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-187-0x0000000077350000-0x000000007746F000-memory.dmp

Filesize
1.1MB

Download
memory/2396-189-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2396-233-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2396-186-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2412-140-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2412-141-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2412-158-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2412-143-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2444-134-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2444-136-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2444-152-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2528-154-0x000000013F2C0000-0x000000013FCB6000-memory.dmp

Filesize
10.0MB

Download
memory/2528-216-0x000000013F2C0000-0x000000013FCB6000-memory.dmp

Filesize
10.0MB

Download
memory/2608-124-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2608-109-0x0000000000170000-0x00000000001E5000-memory.dmp

Filesize
468KB

Download
memory/2608-111-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2608-110-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download