8ca50265b5e333bd3c1dfd1b2cbce8d011fdbc94aafd33d73b3bca35c32651cc

General

Target

0e15f9d8151c82ab4b82f47b7177af7b.exe
Size

311KB
MD5

0e15f9d8151c82ab4b82f47b7177af7b
SHA1

e4ec0960b2b76e969f219298554fa55f09fe7cce
SHA256

8ca50265b5e333bd3c1dfd1b2cbce8d011fdbc94aafd33d73b3bca35c32651cc
SHA512

09b21ec489fb3276907572ebf9ff729853c1c07fd405f031c6a006d94785f08eef6a11e7065e5c7c9dd6cb2852939f8d473df4774f89f35dec33eb448319f5e3
SSDEEP

6144:5/IsgxG1RdAZZ1llyP/WBSgTY7cT7w5fof:5/UxG/21loPuk8Y7Co

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2476	services64.exe
1812	sihost64.exe
380	services64.exe

Loads dropped DLL 3 IoCs

pid	Process
3020	0e15f9d8151c82ab4b82f47b7177af7b.exe
2476	services64.exe
1812	sihost64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2512	schtasks.exe
2748	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{5A006500-4B00-3700-7300-340049006200}	0e15f9d8151c82ab4b82f47b7177af7b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{5A006500-4B00-3700-7300-340049006200}\1 = "9PCpImd1P/JAb7evk5zEd9w+IJaX5DtcQCzDyIKrNbw+lb20PZyKepLdTtW2h7/M1PwJzYa3CSZCiVtdCJFfyz/nLG/so5XsuDISVFBrw7BUi1nBywzWduZkoYAB9KsjZjKwCckUIZZb2sz4Z3StONJjmfH/Krl7/oQC4jhqFLrKOzQ71PSl/cv9FQOjX5bc"	services64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{6C004800-4C00-4400-3900-4E0048006500}\1 = "QFV9Lpttj31udWbUrMVpr8TVhttzLaV45MUXmwlmgxJAicV3rdRvx9fBmdU8Eie5lvjBbgo4N32qQLYF+3JZBdIrGLjpS+jFjiwATHBD/bm0Y7rnfZ/i0+dusbIC2KPoDicxbBgKs5qRaxS6w+8rFwYF4gVd0vZDS65bsuJjhkyOGcAraTqyPRe7sp7+E+PCBEIf6Xn47uktzw3CEFafRhCG6S7+OXINXy+Arox0S1OH8puJJGYnq85hxkTtwn0GuoMMXnDQ+yx1jDcp3cjtos8qMtVThtIHKZIVVEfPTTQPbv34nkea13tIzSOVltGDNHSFqn0u73ZwIowGl3wRGz2V/HkP/DP2Q/owUbcuZAWFijQarlaSseFvVb46OkI/gVUjHgBv3I4AMtQedtaM5JCbAVek/B4Pav5OIOpa3lKa4dwjQgmXYT6AccSLSAiHpC+1mjpgekHcDbqMByxM2A=="	services64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{5A006500-4B00-3700-7300-340049006200}\1 = "plW7HHJ91YFJPK7YVnFuMa6+6UA9VgLC/04Mh9EDgw8/mlKBTAd2GwJo/Hpth2aAoG0TJ9vWJEVwo3LLvyEHverVwjZAFlPdUb3tOjNGrZD/mKjkl1mPEGn+4DHdElZ+J+Y+WdW0JTrQ1mfpQ+/ga1cgvFXKre1BaOfKTiKe/RYl0uahridKjFAm/gU9+Rgq"	services64.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{6C004800-4C00-4400-3900-4E0048006500}	0e15f9d8151c82ab4b82f47b7177af7b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{6C004800-4C00-4400-3900-4E0048006500}\1 = "QFV9Lpttj31udWbUrMVpr8TVhttzLaV45MUXmwlmgxJAicV3rdRvx9fBmdU8Eie5lvjBbgo4N32qQLYF+3JZBdIrGLjpS+jFjiwATHBD/bm0Y7rnfZ/i0+dusbIC2KPoDicxbBgKs5qRaxS6w+8rFwYF4gVd0vZDS65bsuJjhkyOGcAraTqyPRe7sp7+E+PCBEIf6Xn47uktzw3CEFafRhCG6S7+OXINXy+Arox0S1OH8puJJGYnq85hxkTtwn0GuoMMXnDQ+yx1jDcp3cjtos8qMtVThtIHKZIVVEfPTTQPbv34nkea13tIzSOVltGDNHSFqn0u73ZwIowGl3wRGz2V/HkP/DP2Q/owUbcuZAWFijQarlaSseFvVb46OkI/gVUjHgBv3I4AMtQedtaM5JCbAVek/B4Pav5OIOpa3lKa4dwjQgmXYT6AccSLSAiHpC+1mjpgekHcDbqMByxM2A=="	0e15f9d8151c82ab4b82f47b7177af7b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{5A006500-4B00-3700-7300-340049006200}\1 = "3RocgVTwHxuYT4d/ZbBrh41Lv0W5zzugud+nSKjiDWlwaPvakkJgK6vU01/fzhmne/aM88vXbC+ol8stYM+Dote6yHE3XdXWzN8JwhXZK4qSC99tgGWCFHmf+GcnOB7X2OTyc9vZMZ9JdXEPmNhVmNu4ANHHCTvjwBE24rv3Zv/nYWzpeOitnAJPrcQt/C3F"	0e15f9d8151c82ab4b82f47b7177af7b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID\{6C004800-4C00-4400-3900-4E0048006500}\1 = "QFV9Lpttj31udWbUrMVpr8TVhttzLaV45MUXmwlmgxJAicV3rdRvx9fBmdU8Eie5lvjBbgo4N32qQLYF+3JZBdIrGLjpS+jFjiwATHBD/bm0Y7rnfZ/i0+dusbIC2KPoDicxbBgKs5qRaxS6w+8rFwYF4gVd0vZDS65bsuJjhkyOGcAraTqyPRe7sp7+E+PCBEIf6Xn47uktzw3CEFafRhCG6S7+OXINXy+Arox0S1OH8puJJGYnq85hxkTtwn0GuoMMXnDQ+yx1jDcp3cjtos8qMtVThtIHKZIVVEfPTTQPbv34nkea13tIzSOVltGDNHSFqn0u73ZwIowGl3wRGz2V/HkP/DP2Q/owUbcuZAWFijQarlaSseFvVb46OkI/gVUjHgBv3I4AMtQedtaM5JCbAVek/B4Pav5OIOpa3lKa4dwjQgmXYT6AccSLSAiHpC+1mjpgekHcDbqMByxM2A=="	services64.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\CID	0e15f9d8151c82ab4b82f47b7177af7b.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe

NTFS ADS 18 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming:{5A006500-4B00-3700-7300-340049006200}	services64.exe
File created	C:\Users\Admin\Documents\My Music:{5A006500-4B00-3700-7300-340049006200}	services64.exe
File created	C:\Users\Admin\AppData\Roaming:{6C004800-4C00-4400-3900-4E0048006500}	services64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming:{5A006500-4B00-3700-7300-340049006200}	services64.exe
File created	C:\Users\Admin\Documents\My Music:{6C004800-4C00-4400-3900-4E0048006500}	0e15f9d8151c82ab4b82f47b7177af7b.exe
File created	C:\MSOCache:{6C004800-4C00-4400-3900-4E0048006500}	0e15f9d8151c82ab4b82f47b7177af7b.exe
File created	C:\Users\Admin\AppData\Local\Temp:{5A006500-4B00-3700-7300-340049006200}	0e15f9d8151c82ab4b82f47b7177af7b.exe
File created	C:\Users\Admin\Documents\My Music:{5A006500-4B00-3700-7300-340049006200}	0e15f9d8151c82ab4b82f47b7177af7b.exe
File created	C:\MSOCache:{5A006500-4B00-3700-7300-340049006200}	0e15f9d8151c82ab4b82f47b7177af7b.exe
File created	C:\MSOCache:{5A006500-4B00-3700-7300-340049006200}	services64.exe
File created	C:\Users\Admin\AppData\Local\Temp:{6C004800-4C00-4400-3900-4E0048006500}	0e15f9d8151c82ab4b82f47b7177af7b.exe
File created	C:\Users\Admin\Documents\My Music:{6C004800-4C00-4400-3900-4E0048006500}	services64.exe
File created	C:\MSOCache:{5A006500-4B00-3700-7300-340049006200}	services64.exe
File created	C:\Users\Admin\Documents\My Music:{6C004800-4C00-4400-3900-4E0048006500}	services64.exe
File created	C:\Users\Admin\Documents\My Music:{5A006500-4B00-3700-7300-340049006200}	services64.exe
File created	C:\MSOCache:{6C004800-4C00-4400-3900-4E0048006500}	services64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming:{6C004800-4C00-4400-3900-4E0048006500}	services64.exe
File created	C:\MSOCache:{6C004800-4C00-4400-3900-4E0048006500}	services64.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3020	0e15f9d8151c82ab4b82f47b7177af7b.exe
3020	0e15f9d8151c82ab4b82f47b7177af7b.exe
3020	0e15f9d8151c82ab4b82f47b7177af7b.exe
2476	services64.exe
2476	services64.exe
2476	services64.exe
380	services64.exe
380	services64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe
Token: SeDebugPrivilege	2476	services64.exe
Token: SeDebugPrivilege	380	services64.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2220	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe	29
PID 3020 wrote to memory of 2220	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe	29
PID 3020 wrote to memory of 2220	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe	29
PID 2220 wrote to memory of 2512	2220	cmd.exe	31
PID 2220 wrote to memory of 2512	2220	cmd.exe	31
PID 2220 wrote to memory of 2512	2220	cmd.exe	31
PID 3020 wrote to memory of 2476	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe	32
PID 3020 wrote to memory of 2476	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe	32
PID 3020 wrote to memory of 2476	3020	0e15f9d8151c82ab4b82f47b7177af7b.exe	32
PID 2476 wrote to memory of 2788	2476	services64.exe	33
PID 2476 wrote to memory of 2788	2476	services64.exe	33
PID 2476 wrote to memory of 2788	2476	services64.exe	33
PID 2788 wrote to memory of 2748	2788	cmd.exe	35
PID 2788 wrote to memory of 2748	2788	cmd.exe	35
PID 2788 wrote to memory of 2748	2788	cmd.exe	35
PID 2476 wrote to memory of 1812	2476	services64.exe	36
PID 2476 wrote to memory of 1812	2476	services64.exe	36
PID 2476 wrote to memory of 1812	2476	services64.exe	36
PID 1812 wrote to memory of 380	1812	sihost64.exe	39
PID 1812 wrote to memory of 380	1812	sihost64.exe	39
PID 1812 wrote to memory of 380	1812	sihost64.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e15f9d8151c82ab4b82f47b7177af7b.exe
"C:\Users\Admin\AppData\Local\Temp\0e15f9d8151c82ab4b82f47b7177af7b.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2512
- C:\Users\Admin\AppData\Roaming\services64.exe
  "C:\Users\Admin\AppData\Roaming\services64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Modifies system certificate store
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Isolated Storage\{5A006500-4B00-3700-7300-340049006200}

Filesize
384B

MD5
ed40858472a31df7ec5f10c78c15fae8

SHA1
f71c1a7a27bff6a61332c88f6b12f7b7092b3cd5

SHA256
c55e2060b15aae7782a8984124d88c2494ed0ca37af19591131c70603a9d9b32

SHA512
f29e2c8e5088919350818e679c542b43159d6b687ecfc5c6708d4b65ea909bd32267db952fcd7004ae6d81a4083843c86b11ba9f2f4529efc5db75863dc8488d

Download Submit
C:\ProgramData\Isolated Storage\{6C004800-4C00-4400-3900-4E0048006500}

Filesize
944B

MD5
d5fa8ba7c719e56651288d811fa021ce

SHA1
b75815ba6184e52a1ec323b05973c312f7b0b59b

SHA256
13035b1b3fe4ba0e8bc778ddea3b20efc05a0d769deb1359d7aaa64e32eba951

SHA512
0d50e97af9889db269fa18cd7cff8b8cbf07e6c2c90b22fbb4b4fe060e2d55765a3c77967a441b88c28922289f106d79ff85e3b27bc45a3680f2ea6861381655

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe

Filesize
311KB

MD5
0e15f9d8151c82ab4b82f47b7177af7b

SHA1
e4ec0960b2b76e969f219298554fa55f09fe7cce

SHA256
8ca50265b5e333bd3c1dfd1b2cbce8d011fdbc94aafd33d73b3bca35c32651cc

SHA512
09b21ec489fb3276907572ebf9ff729853c1c07fd405f031c6a006d94785f08eef6a11e7065e5c7c9dd6cb2852939f8d473df4774f89f35dec33eb448319f5e3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
d98e2e312d89e8e7c0eabcc4218ebae1

SHA1
3e12d8fe74ceaca24981252570dfbc5cc4359273

SHA256
613e54d34f69bba549edc48177cfa7d96b5f97761acfc4211e79dfcafdd0fa9d

SHA512
fee151f8317f083ca4d8898c933e7d07f024af909da2a99ed2d385b16a4f806b9aea422117a5fd146f3850b2e79a7913cbd741442091b5a4257fbf660e235b38

Download Submit
memory/380-64-0x000000001B3B0000-0x000000001B430000-memory.dmp

Filesize
512KB

Download
memory/380-62-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/380-61-0x0000000000960000-0x00000000009B4000-memory.dmp

Filesize
336KB

Download
memory/1812-53-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-38-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-37-0x000000013F0B0000-0x000000013F0B6000-memory.dmp

Filesize
24KB

Download
memory/2476-21-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2476-27-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-19-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-18-0x0000000000F10000-0x0000000000F64000-memory.dmp

Filesize
336KB

Download
memory/2476-54-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-0-0x0000000001190000-0x00000000011E4000-memory.dmp

Filesize
336KB

Download
memory/3020-20-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-12-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-8-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/3020-3-0x000000001B8E0000-0x000000001B960000-memory.dmp

Filesize
512KB

Download
memory/3020-1-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads