Analysis
-
max time kernel
95s -
max time network
89s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
18-01-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
testing.exe
Resource
win10-20231215-en
General
-
Target
testing.exe
-
Size
2.7MB
-
MD5
7bc2995d24a569dc7d65a2b92ca894bb
-
SHA1
76e210f61f66f055592139336985a7d00bc484d2
-
SHA256
e48229eccce19f5b00299a9d70d9a8afa4cb6abdc4e46dcb62e95843f5e1274d
-
SHA512
862f03bea1cbeb0a7646ef0ff13c916a74833628894d517bd0f2ad093a84c2aa0819fc542d8229b88db2c9635de34001aa09b31047c9684b74188429f00ec445
-
SSDEEP
49152:yw4Gb/hZZxF9qQ1JaXKOVAWJpB4YWtA4Pofg40xPfVV8WW4V2mya/hm:y2Vlv1JaXJXpB4YWv7X3Va0QYhm
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 4268 pcwfqbzkkage.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe testing.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4536 set thread context of 4120 4536 testing.exe 90 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4528 sc.exe 5024 sc.exe 3988 sc.exe 3168 sc.exe 8 sc.exe 2328 sc.exe 3444 sc.exe 2396 sc.exe 5020 sc.exe -
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies data under HKEY_USERS 63 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1705608293" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 18 Jan 2024 20:04:55 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={56BB4E4E-45D9-4766-882D-D90FC75D6A69}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4536 testing.exe 1668 powershell.exe 4376 taskmgr.exe 4376 taskmgr.exe 1668 powershell.exe 1668 powershell.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4376 taskmgr.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4120 dialer.exe 4120 dialer.exe 4536 testing.exe 4536 testing.exe 4536 testing.exe 4120 dialer.exe 4120 dialer.exe 4268 pcwfqbzkkage.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 3432 powershell.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 3432 powershell.exe 4376 taskmgr.exe 4376 taskmgr.exe 4120 dialer.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 4376 taskmgr.exe Token: SeSystemProfilePrivilege 4376 taskmgr.exe Token: SeCreateGlobalPrivilege 4376 taskmgr.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeIncreaseQuotaPrivilege 1668 powershell.exe Token: SeSecurityPrivilege 1668 powershell.exe Token: SeTakeOwnershipPrivilege 1668 powershell.exe Token: SeLoadDriverPrivilege 1668 powershell.exe Token: SeSystemProfilePrivilege 1668 powershell.exe Token: SeSystemtimePrivilege 1668 powershell.exe Token: SeProfSingleProcessPrivilege 1668 powershell.exe Token: SeIncBasePriorityPrivilege 1668 powershell.exe Token: SeCreatePagefilePrivilege 1668 powershell.exe Token: SeBackupPrivilege 1668 powershell.exe Token: SeRestorePrivilege 1668 powershell.exe Token: SeShutdownPrivilege 1668 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeSystemEnvironmentPrivilege 1668 powershell.exe Token: SeRemoteShutdownPrivilege 1668 powershell.exe Token: SeUndockPrivilege 1668 powershell.exe Token: SeManageVolumePrivilege 1668 powershell.exe Token: 33 1668 powershell.exe Token: 34 1668 powershell.exe Token: 35 1668 powershell.exe Token: 36 1668 powershell.exe Token: SeShutdownPrivilege 4440 powercfg.exe Token: SeCreatePagefilePrivilege 4440 powercfg.exe Token: SeShutdownPrivilege 4700 powercfg.exe Token: SeCreatePagefilePrivilege 4700 powercfg.exe Token: SeShutdownPrivilege 2512 powercfg.exe Token: SeCreatePagefilePrivilege 2512 powercfg.exe Token: SeDebugPrivilege 4536 testing.exe Token: SeShutdownPrivilege 4448 powercfg.exe Token: SeCreatePagefilePrivilege 4448 powercfg.exe Token: SeDebugPrivilege 4120 dialer.exe Token: SeDebugPrivilege 3432 powershell.exe Token: SeCreateGlobalPrivilege 96 dwm.exe Token: SeChangeNotifyPrivilege 96 dwm.exe Token: 33 96 dwm.exe Token: SeIncBasePriorityPrivilege 96 dwm.exe Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 3432 powershell.exe Token: SeIncreaseQuotaPrivilege 3432 powershell.exe Token: SeSecurityPrivilege 3432 powershell.exe Token: SeTakeOwnershipPrivilege 3432 powershell.exe Token: SeLoadDriverPrivilege 3432 powershell.exe Token: SeSystemtimePrivilege 3432 powershell.exe Token: SeBackupPrivilege 3432 powershell.exe Token: SeRestorePrivilege 3432 powershell.exe Token: SeShutdownPrivilege 3432 powershell.exe Token: SeSystemEnvironmentPrivilege 3432 powershell.exe Token: SeUndockPrivilege 3432 powershell.exe Token: SeManageVolumePrivilege 3432 powershell.exe Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4152 wrote to memory of 4520 4152 cmd.exe 83 PID 4152 wrote to memory of 4520 4152 cmd.exe 83 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4536 wrote to memory of 4120 4536 testing.exe 90 PID 4120 wrote to memory of 612 4120 dialer.exe 3 PID 4120 wrote to memory of 664 4120 dialer.exe 1 PID 664 wrote to memory of 2968 664 lsass.exe 35 PID 4120 wrote to memory of 744 4120 dialer.exe 8 PID 664 wrote to memory of 2968 664 lsass.exe 35 PID 4120 wrote to memory of 928 4120 dialer.exe 67 PID 4120 wrote to memory of 1020 4120 dialer.exe 9 PID 4120 wrote to memory of 376 4120 dialer.exe 66 PID 4120 wrote to memory of 388 4120 dialer.exe 65 PID 664 wrote to memory of 2968 664 lsass.exe 35 PID 4120 wrote to memory of 416 4120 dialer.exe 64 PID 4120 wrote to memory of 1036 4120 dialer.exe 63 PID 4120 wrote to memory of 1116 4120 dialer.exe 61 PID 4120 wrote to memory of 1160 4120 dialer.exe 60 PID 4120 wrote to memory of 1176 4120 dialer.exe 10 PID 664 wrote to memory of 2968 664 lsass.exe 35 PID 4120 wrote to memory of 1292 4120 dialer.exe 59 PID 4120 wrote to memory of 1312 4120 dialer.exe 58 PID 4120 wrote to memory of 1332 4120 dialer.exe 57 PID 4120 wrote to memory of 1376 4120 dialer.exe 56 PID 4120 wrote to memory of 1492 4120 dialer.exe 55 PID 4120 wrote to memory of 1520 4120 dialer.exe 54 PID 4120 wrote to memory of 1528 4120 dialer.exe 11 PID 4120 wrote to memory of 1612 4120 dialer.exe 53 PID 4120 wrote to memory of 1620 4120 dialer.exe 52 PID 4120 wrote to memory of 1712 4120 dialer.exe 51 PID 4120 wrote to memory of 1748 4120 dialer.exe 50 PID 4120 wrote to memory of 1772 4120 dialer.exe 49 PID 4120 wrote to memory of 1784 4120 dialer.exe 12 PID 4120 wrote to memory of 1828 4120 dialer.exe 48 PID 4120 wrote to memory of 1888 4120 dialer.exe 47 PID 612 wrote to memory of 96 612 winlogon.exe 112 PID 612 wrote to memory of 96 612 winlogon.exe 112 PID 4120 wrote to memory of 96 4120 dialer.exe 112 PID 664 wrote to memory of 2968 664 lsass.exe 35 PID 4120 wrote to memory of 1992 4120 dialer.exe 46 PID 4120 wrote to memory of 2064 4120 dialer.exe 45 PID 4120 wrote to memory of 2116 4120 dialer.exe 44 PID 4120 wrote to memory of 2268 4120 dialer.exe 13 PID 4120 wrote to memory of 2532 4120 dialer.exe 43 PID 664 wrote to memory of 2968 664 lsass.exe 35 PID 4120 wrote to memory of 2540 4120 dialer.exe 42 PID 4120 wrote to memory of 2632 4120 dialer.exe 41 PID 4120 wrote to memory of 2644 4120 dialer.exe 40 PID 4120 wrote to memory of 2692 4120 dialer.exe 39 PID 4120 wrote to memory of 2820 4120 dialer.exe 38 PID 4120 wrote to memory of 2852 4120 dialer.exe 14 PID 4120 wrote to memory of 2900 4120 dialer.exe 37 PID 4120 wrote to memory of 2916 4120 dialer.exe 36 PID 4120 wrote to memory of 2968 4120 dialer.exe 35 PID 4120 wrote to memory of 2976 4120 dialer.exe 34 PID 4120 wrote to memory of 2992 4120 dialer.exe 33 PID 4120 wrote to memory of 3136 4120 dialer.exe 32 PID 4120 wrote to memory of 3240 4120 dialer.exe 31 PID 4120 wrote to memory of 4040 4120 dialer.exe 29
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:664
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1020
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:96
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:744
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1176
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1784
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2268
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2852
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:3572
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:4944
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:688
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 688 -s 9082⤵PID:1172
-
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3004
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:2484
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:760
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:396
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 396 -s 8922⤵PID:544
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\testing.exe"C:\Users\Admin\AppData\Local\Temp\testing.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4520
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3444
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2396
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:4528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:5024
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UDIYNDRV"3⤵
- Launches sc.exe
PID:3988
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UDIYNDRV" binpath= "C:\ProgramData\usjsffdilasf\pcwfqbzkkage.exe" start= "auto"3⤵
- Launches sc.exe
PID:5020
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UDIYNDRV"3⤵
- Launches sc.exe
PID:3168
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:8
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4376
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3136
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2992
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2976
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2968
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2916
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2900
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2820
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2692
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2644
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:2632
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2540
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2532
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2116
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2064
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1992
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1888
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1772
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1712
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1620
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1612
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1520
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1492
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1332
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1312
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1292
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1160
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1116
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1036
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:416
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:388
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:928
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2928
-
C:\ProgramData\usjsffdilasf\pcwfqbzkkage.exeC:\ProgramData\usjsffdilasf\pcwfqbzkkage.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4268 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3360
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:1920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD543be54d53a5311d8cdcee0a28e2a711d
SHA1a69362536fd2aa2e1d5f0cbcfc8248f879c06483
SHA2565357ae99fcfe3cb23444048a7a804d39dc46f1091a4675209ec6bc470180f987
SHA512fb182b124439586f3e2401078ef0ecc3c1ff4d50408bfca0011b5812fcb153c2996054f7293169cdd2513eedd71cb49cd7b3bfd06c53541285001f68c05ec86a
-
Filesize
12KB
MD56789bd657e47c3fd025897add0da967f
SHA1f516b2b441b24927d2ea936c3ff0ef8546f2f9eb
SHA25687d59244e1c42f24f5f17e109f3d6aa44507a95752b75b0fe4d2fdb3a67a4e1f
SHA512f755c33567c75edda4dd1097b72045a4801da199fb4a84a77807802e14296068aac84eef74ff85bf9d95aab3aa4a75c672209bb120728a8ac354abf926974e95
-
Filesize
2.7MB
MD5f3774de7e5a8aa2572d5ba7d3452cc25
SHA1b7b20ae9b60eb6b91c5c3dc260e68676767e165c
SHA256d6af59b93296f00418fece33e5a3a4c7f6cc818b68bb95dd8ee289729116d910
SHA512412c94f11d48b59dc7487c7c1b79c7a0dc171bddcb948a5a19c5380b0baa1cffd5f2e44ed458ebe7b7546976e57185fa0ac753efd45f370c89db4f94e4b98552
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a