glupteba | 455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe = "0"	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	444567.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2640	netsh.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qmHPp2lzgAnOs3oTzlbJ5HNb.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\grAPBxqpLoBcmHmzmPek6Cue.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uzSrWDYIZn1vQlITbuzRds8j.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SdAYR4bdcQ0AXOWG0g7BnWDs.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7VMPSBpAcs1p78MbF1WfzBa.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Me3i3RGlnfvs2Bhh7ZQ6fc1J.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r4lMLZ1yN2UMDT4LkDW7HVXB.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uWFtjCWUIaRirknP1uRXvj8K.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAIPP2T68sEo717AnPLyH4Vo.bat	jsc.exe

Executes dropped EXE 13 IoCs

pid	Process
1956	0m27KRLmUNy3QUEuIqFauLbN.exe
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp
1808	AzktQ6ILoJhSdVhk9t0VmMms.exe
2368	AzktQ6ILoJhSdVhk9t0VmMms.tmp
2316	jsdomainkeylib.exe
1320	jsdomainkeylib.exe
1072	Ul0wYJIFslHW1VShoa9TnMLM.exe
2452	BroomSetup.exe
1348	95jYssAWSnwHGcAcLuJ5NpwI.exe
888	95jYssAWSnwHGcAcLuJ5NpwI.exe
2988	UcSsMJTG6DqW6CcxWWSDt19C.exe
2600	PT6hPVHk36vQzy2ed5ndxHk3.exe
1772	444567.exe

Loads dropped DLL 25 IoCs

pid	Process
2784	jsc.exe
1956	0m27KRLmUNy3QUEuIqFauLbN.exe
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp
2784	jsc.exe
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp
1808	AzktQ6ILoJhSdVhk9t0VmMms.exe
2368	AzktQ6ILoJhSdVhk9t0VmMms.tmp
2368	AzktQ6ILoJhSdVhk9t0VmMms.tmp
2368	AzktQ6ILoJhSdVhk9t0VmMms.tmp
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp
2784	jsc.exe
1072	Ul0wYJIFslHW1VShoa9TnMLM.exe
1072	Ul0wYJIFslHW1VShoa9TnMLM.exe
1072	Ul0wYJIFslHW1VShoa9TnMLM.exe
2784	jsc.exe
2784	jsc.exe
2784	jsc.exe
2988	UcSsMJTG6DqW6CcxWWSDt19C.exe
2784	jsc.exe
2600	PT6hPVHk36vQzy2ed5ndxHk3.exe
2600	PT6hPVHk36vQzy2ed5ndxHk3.exe
2368	AzktQ6ILoJhSdVhk9t0VmMms.tmp
2988	UcSsMJTG6DqW6CcxWWSDt19C.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a45b-831.dat	upx
behavioral1/memory/2988-921-0x0000000001180000-0x0000000001668000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe = "0"	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 1348 set thread context of 888	1348	95jYssAWSnwHGcAcLuJ5NpwI.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a467-866.dat	nsis_installer_1
behavioral1/files/0x000500000001a467-866.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	AzktQ6ILoJhSdVhk9t0VmMms.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	AzktQ6ILoJhSdVhk9t0VmMms.tmp

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2692	powershell.exe
2600	PT6hPVHk36vQzy2ed5ndxHk3.exe
2600	PT6hPVHk36vQzy2ed5ndxHk3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	jsc.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1772	444567.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1816	0m27KRLmUNy3QUEuIqFauLbN.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2452	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2692	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	28
PID 2644 wrote to memory of 2692	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	28
PID 2644 wrote to memory of 2692	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	28
PID 2644 wrote to memory of 2692	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	28
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2644 wrote to memory of 2784	2644	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe	30
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 2784 wrote to memory of 1956	2784	jsc.exe	33
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 1956 wrote to memory of 1816	1956	0m27KRLmUNy3QUEuIqFauLbN.exe	34
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 2784 wrote to memory of 1808	2784	jsc.exe	35
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1808 wrote to memory of 2368	1808	AzktQ6ILoJhSdVhk9t0VmMms.exe	36
PID 1816 wrote to memory of 2260	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	38
PID 1816 wrote to memory of 2260	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	38
PID 1816 wrote to memory of 2260	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	38
PID 1816 wrote to memory of 2260	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	38
PID 1816 wrote to memory of 2316	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	40
PID 1816 wrote to memory of 2316	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	40
PID 1816 wrote to memory of 2316	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	40
PID 1816 wrote to memory of 2316	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	40
PID 2260 wrote to memory of 1948	2260	net.exe	41
PID 2260 wrote to memory of 1948	2260	net.exe	41
PID 2260 wrote to memory of 1948	2260	net.exe	41
PID 2260 wrote to memory of 1948	2260	net.exe	41
PID 1816 wrote to memory of 1320	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	43
PID 1816 wrote to memory of 1320	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	43
PID 1816 wrote to memory of 1320	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	43
PID 1816 wrote to memory of 1320	1816	0m27KRLmUNy3QUEuIqFauLbN.tmp	43
PID 2784 wrote to memory of 1072	2784	jsc.exe	44
PID 2784 wrote to memory of 1072	2784	jsc.exe	44
PID 2784 wrote to memory of 1072	2784	jsc.exe	44
PID 2784 wrote to memory of 1072	2784	jsc.exe	44
PID 1072 wrote to memory of 2452	1072	Ul0wYJIFslHW1VShoa9TnMLM.exe	45
PID 1072 wrote to memory of 2452	1072	Ul0wYJIFslHW1VShoa9TnMLM.exe	45
PID 1072 wrote to memory of 2452	1072	Ul0wYJIFslHW1VShoa9TnMLM.exe	45

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe

C:\Users\Admin\AppData\Local\Temp\455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe
"C:\Users\Admin\AppData\Local\Temp\455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\455a6a7f15ba86a0fe02ae1d8beff7a3dc8e858380244a45141054b0d330135c.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\Pictures\0m27KRLmUNy3QUEuIqFauLbN.exe
    "C:\Users\Admin\Pictures\0m27KRLmUNy3QUEuIqFauLbN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\is-H4JBL.tmp\0m27KRLmUNy3QUEuIqFauLbN.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-H4JBL.tmp\0m27KRLmUNy3QUEuIqFauLbN.tmp" /SL5="$B0158,4774704,351744,C:\Users\Admin\Pictures\0m27KRLmUNy3QUEuIqFauLbN.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 173
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 173
        6⤵
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\JS DomainKey lib\jsdomainkeylib.exe
        
        "C:\Users\Admin\AppData\Local\JS DomainKey lib\jsdomainkeylib.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:2316
    - - C:\Users\Admin\AppData\Local\JS DomainKey lib\jsdomainkeylib.exe
        
        "C:\Users\Admin\AppData\Local\JS DomainKey lib\jsdomainkeylib.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:1320
- - C:\Users\Admin\Pictures\AzktQ6ILoJhSdVhk9t0VmMms.exe
    "C:\Users\Admin\Pictures\AzktQ6ILoJhSdVhk9t0VmMms.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\is-25LG6.tmp\AzktQ6ILoJhSdVhk9t0VmMms.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-25LG6.tmp\AzktQ6ILoJhSdVhk9t0VmMms.tmp" /SL5="$4015A,140559,56832,C:\Users\Admin\Pictures\AzktQ6ILoJhSdVhk9t0VmMms.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\is-T6TV0.tmp\444567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-T6TV0.tmp\444567.exe" /S /UID=lylal220
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\58-3fde2-0ee-bbbbc-bcb22d00bc987\Xemefybisho.exe
        
        "C:\Users\Admin\AppData\Local\Temp\58-3fde2-0ee-bbbbc-bcb22d00bc987\Xemefybisho.exe"
        6⤵
        
        PID:2960
- - C:\Users\Admin\Pictures\Ul0wYJIFslHW1VShoa9TnMLM.exe
    "C:\Users\Admin\Pictures\Ul0wYJIFslHW1VShoa9TnMLM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\nszEE.tmp
      C:\Users\Admin\AppData\Local\Temp\nszEE.tmp
      4⤵
      PID:2532
- - C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe
    "C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1348
  - - C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe
      "C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe"
      4⤵
      Executes dropped EXE
      PID:888
    - - C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe
        
        "C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe"
        5⤵
        
        PID:2116
      - C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe
        
        "C:\Users\Admin\Pictures\95jYssAWSnwHGcAcLuJ5NpwI.exe"
        6⤵
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:2236
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:2640
- - C:\Users\Admin\Pictures\UcSsMJTG6DqW6CcxWWSDt19C.exe
    "C:\Users\Admin\Pictures\UcSsMJTG6DqW6CcxWWSDt19C.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2988
- - C:\Users\Admin\Pictures\PT6hPVHk36vQzy2ed5ndxHk3.exe
    "C:\Users\Admin\Pictures\PT6hPVHk36vQzy2ed5ndxHk3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2600

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240107200421.log C:\Windows\Logs\CBS\CbsPersist_20240107200421.cab
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry