e572569653d31ab37b87bcc7f053f224f1edace0f19f42a3bcf61a5b1d7e3bde

Analysis

max time kernel
143s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsDefenderATPLocalOnboardingScript.cmd
Size

17KB
MD5

6018e4fe6f774c5c8931bac3cafc09c9
SHA1

c062ed612eda6f5f00fd79b50dfc8758eaef60d8
SHA256

e572569653d31ab37b87bcc7f053f224f1edace0f19f42a3bcf61a5b1d7e3bde
SHA512

ab8cb1be3da2bf30990fb91a39a167479c358754979d4463872e84e58ba9e53103646458b5b0ec6214364c827c76397bc42a4f82a82f43737c6d60f8b5cf4ab3
SSDEEP

384:UQ7rqhqD0tLekASPSAHJvDZdkaKgHQmAwAZkrfhmOHu:UQ7rV0tLNrvVdkNwUkjhmOO

Score

4^/10

Malware Config

Signatures

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1064	sc.exe
1428	sc.exe
3284	sc.exe
4548	sc.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2600	timeout.exe
668	timeout.exe
3184	timeout.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1944	reg.exe
2892	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	powershell.exe
4868	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4368	4740	cmd.exe	77
PID 4740 wrote to memory of 4368	4740	cmd.exe	77
PID 4740 wrote to memory of 1948	4740	cmd.exe	78
PID 4740 wrote to memory of 1948	4740	cmd.exe	78
PID 1948 wrote to memory of 1172	1948	net.exe	79
PID 1948 wrote to memory of 1172	1948	net.exe	79
PID 4740 wrote to memory of 2892	4740	cmd.exe	80
PID 4740 wrote to memory of 2892	4740	cmd.exe	80
PID 4740 wrote to memory of 1944	4740	cmd.exe	81
PID 4740 wrote to memory of 1944	4740	cmd.exe	81
PID 4740 wrote to memory of 3084	4740	cmd.exe	82
PID 4740 wrote to memory of 3084	4740	cmd.exe	82
PID 4740 wrote to memory of 4868	4740	cmd.exe	83
PID 4740 wrote to memory of 4868	4740	cmd.exe	83
PID 4868 wrote to memory of 1932	4868	powershell.exe	84
PID 4868 wrote to memory of 1932	4868	powershell.exe	84
PID 1932 wrote to memory of 2684	1932	csc.exe	85
PID 1932 wrote to memory of 2684	1932	csc.exe	85
PID 4740 wrote to memory of 1884	4740	cmd.exe	86
PID 4740 wrote to memory of 1884	4740	cmd.exe	86
PID 4740 wrote to memory of 3632	4740	cmd.exe	87
PID 4740 wrote to memory of 3632	4740	cmd.exe	87
PID 4740 wrote to memory of 4548	4740	cmd.exe	88
PID 4740 wrote to memory of 4548	4740	cmd.exe	88
PID 4740 wrote to memory of 4196	4740	cmd.exe	89
PID 4740 wrote to memory of 4196	4740	cmd.exe	89
PID 4740 wrote to memory of 332	4740	cmd.exe	90
PID 4740 wrote to memory of 332	4740	cmd.exe	90
PID 332 wrote to memory of 3576	332	net.exe	91
PID 332 wrote to memory of 3576	332	net.exe	91
PID 4740 wrote to memory of 1064	4740	cmd.exe	93
PID 4740 wrote to memory of 1064	4740	cmd.exe	93
PID 4740 wrote to memory of 1016	4740	cmd.exe	92
PID 4740 wrote to memory of 1016	4740	cmd.exe	92
PID 4740 wrote to memory of 2600	4740	cmd.exe	94
PID 4740 wrote to memory of 2600	4740	cmd.exe	94
PID 4740 wrote to memory of 1428	4740	cmd.exe	95
PID 4740 wrote to memory of 1428	4740	cmd.exe	95
PID 4740 wrote to memory of 2664	4740	cmd.exe	96
PID 4740 wrote to memory of 2664	4740	cmd.exe	96
PID 4740 wrote to memory of 668	4740	cmd.exe	97
PID 4740 wrote to memory of 668	4740	cmd.exe	97
PID 4740 wrote to memory of 3284	4740	cmd.exe	98
PID 4740 wrote to memory of 3284	4740	cmd.exe	98
PID 4740 wrote to memory of 3776	4740	cmd.exe	99
PID 4740 wrote to memory of 3776	4740	cmd.exe	99
PID 4740 wrote to memory of 3184	4740	cmd.exe	100
PID 4740 wrote to memory of 3184	4740	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WindowsDefenderATPLocalOnboardingScript.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System32\reg.exe
  C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v latency /t REG_SZ /f /d "Demo"
  2⤵
  PID:4368
- C:\Windows\System32\net.exe
  C:\Windows\System32\net.exe session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1172
- C:\Windows\System32\reg.exe
  C:\Windows\System32\reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security /v 14f8138e-3b61-580b-544b-2609378ae460 /t REG_BINARY /d 0100048044000000540000000000000014000000020030000200000000001400FF0F120001010000000000051200000000001400E104120001010000000000050B0000000102000000000005200000002002000001020000000000052000000020020000 /f
  2⤵
  - Modifies registry key
  PID:2892
- C:\Windows\System32\reg.exe
  C:\Windows\System32\reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security /v cb2ff72d-d4e4-585d-33f9-f3a395c40be7 /t REG_BINARY /d 0100048044000000540000000000000014000000020030000200000000001400FF0F120001010000000000051200000000001400E104120001010000000000050B0000000102000000000005200000002002000001020000000000052000000020020000 /f
  2⤵
  - Modifies registry key
  PID:1944
- C:\Windows\System32\reg.exe
  C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DisableEnterpriseAuthProxy /t REG_DWORD /f /d 1
  2⤵
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Add-Type ' using System; using System.IO; using System.Runtime.InteropServices; using Microsoft.Win32.SafeHandles; using System.ComponentModel; public static class Elam{ [DllImport(\"Kernel32\", CharSet=CharSet.Auto, SetLastError=true)] public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); public static void InstallWdBoot(string path) { Console.Out.WriteLine(\"About to call create file on {0}\", path); var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); var handle = stream.SafeFileHandle; Console.Out.WriteLine(\"About to call InstallELAMCertificateInfo on handle {0}\", handle.DangerousGetHandle()); if (!InstallELAMCertificateInfo(handle)) { Console.Out.WriteLine(\"Call failed.\"); throw new Win32Exception(Marshal.GetLastWin32Error()); } Console.Out.WriteLine(\"Call successful.\"); } } '; $driverPath = $env:SystemRoot + '\System32\Drivers\WdBoot.sys'; [Elam]::InstallWdBoot($driverPath) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wihw0epj\wihw0epj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44B5.tmp" "c:\Users\Admin\AppData\Local\Temp\wihw0epj\CSC14D3008A2AEA4CB9B081AD17A243C9A.TMP"
      4⤵
      PID:2684
- C:\Windows\System32\reg.exe
  C:\Windows\System32\reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v 696C1FA1-4030-4FA4-8713-FAF9B2EA7C0A /reg:64
  2⤵
  PID:1884
- C:\Windows\System32\reg.exe
  C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v OnboardingInfo /t REG_SZ /f /d "{\"body\":\"{\\\"previousOrgIds\\\":[],\\\"orgId\\\":\\\"04413161-c53a-488f-93da-55d6785617f3\\\",\\\"geoLocationUrl\\\":\\\"https://winatp-gw-neu.microsoft.com/\\\",\\\"datacenter\\\":\\\"NorthEurope\\\",\\\"vortexGeoLocation\\\":\\\"EU\\\",\\\"version\\\":\\\"1.65\\\"}\",\"sig\":\"myjZ6BwY7hamELnV5JcTeLD95UmmrFTHrQTAmnlm09haB0JxQlO423f1ormQh07t/MR+xw6BNnVi5A30iSd/+AM8huoJC9LDGq+gzYEERrPBI/MROYEL4Grk6D3INflFeU4rrB3e2u0TS7nvcMI/RVHzQVlp4DBupdK/W/gQ7eSaSObL9ctjVuPHQzIHx7a3oFSja9Ghnn5TZ+BO/4VnaLFhg+BWiBFzz+PRSYBp+5fElbToYhWG9C4CWGJ4VWtzPE8AKnvv5NCz+RFlyJKu6Gp4j1r5Y2jlhF8PhGwcqyfuOp1EeEUvn/hgFhbOQCAT4y3faCQxUlZKtzQC/WZwsw==\",\"sha256sig\":\"myjZ6BwY7hamELnV5JcTeLD95UmmrFTHrQTAmnlm09haB0JxQlO423f1ormQh07t/MR+xw6BNnVi5A30iSd/+AM8huoJC9LDGq+gzYEERrPBI/MROYEL4Grk6D3INflFeU4rrB3e2u0TS7nvcMI/RVHzQVlp4DBupdK/W/gQ7eSaSObL9ctjVuPHQzIHx7a3oFSja9Ghnn5TZ+BO/4VnaLFhg+BWiBFzz+PRSYBp+5fElbToYhWG9C4CWGJ4VWtzPE8AKnvv5NCz+RFlyJKu6Gp4j1r5Y2jlhF8PhGwcqyfuOp1EeEUvn/hgFhbOQCAT4y3faCQxUlZKtzQC/WZwsw==\",\"sha256sigPss\":\"qtrmvwNE0ezzoNf/gAB1vc1z9KqeYTWNaO1pO4U4K9VGCdweboAKWvnV6YMGjCSCiBTY2q+5ltvt7JnyjhlRyD6BapJhGQVHgRrXkRpSnp+Wy2dYkB3vS1Hdp+QoqH9y+wTb06JDxpShB8dod29tRvULds3z5Fmp9abYv1C/KGvfm+vm/iFG5D8SrRIno9wJxdjBHt+55UMBupgTezNWL0dZnv2+sOXT7VFHFrh1KqMVMBULOmizqIljbzMZFI5sIK8FHZ+3qhUNonMUWHavdLC7TtmEunzIE0mo9PVsEhGHmSergujCGeA+cIZ7RluoIiUb7JODpzmv/xB6xtz/Bw==\",\"cert\":\"MIIFgzCCA2ugAwIBAgITMwAAAnC9JQaUXdnbOQAAAAACcDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBDQSAyMDExMB4XDTIzMTExNjE5NTQzN1oXDTI0MTExNjE5NTQzN1owHjEcMBoGA1UEAxMTU2V2aWxsZS5XaW5kb3dzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANQZfNcFafxSdB/egdAdSgOht1aMfHgOvgVP6y60sdFt6XThN2urPV/Je+N3Fdx7tnUU3brt7FeUBJVLSRFjUh/mrno9R45NGO6Se92rdIpgG9U7GGl8vlsRF94qMW3oBzSBDoN7Fa/8MKw4A+grADuTorfGh9bDxcpk6p8sv0DUigIomBrB77WrkqcRDrBhX5HXZCRNFP9c7xgGKOLBTaTDa2UOl3y0P1a19NtcBbgj54MxaHbYHo/O946FuE8smCNSjLf/lbgcccS4D8rQ8o1rfQ/M+LNghADzZFYmdcdRYXwjwKdA9jJXJ2SQiecD0JwR3ts6NYVCf9welyF0MfECAwEAAaOCAVgwggFUMA4GA1UdDwEB/wQEAwIFIDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAeBgNVHREEFzAVghNTZXZpbGxlLldpbmRvd3MuY29tMB0GA1UdDgQWBBRpiFs3F5ZHklNMEctgTfo+RyXrqjAfBgNVHSMEGDAWgBQ2VollSctbmy88rEIWUE2RuTPXkTBTBgNVHR8ETDBKMEigRqBEhkJodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNTZWNTZXJDQTIwMTFfMjAxMS0xMC0xOC5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY1NlY1NlckNBMjAxMV8yMDExLTEwLTE4LmNydDANBgkqhkiG9w0BAQsFAAOCAgEAxsbr9TCEIMqQLIQv2PAo+qe6L2WIQCWZ7hDOqKvC9weJ7DVWlEiTonsg7lrRxcUe3PAoeIVzpWts2ZRw5bsDEdZ1VN7u6IZuEpB9J+RGXGhHSL/Hzb8HWcjATM7QnWCNGXJyOj0nwIh18DHNNlQaCd9Q5RVZBELld8XbVbtRu2olBEn6Ex09iuFGuaXc0cwp7v2RHvypihxi099HaR2bn7Nef4ZHPVmxnlUEK6gdUSY2MSGUxyMEJevDiPY7y4nSZIlnsPicFg96WfWhPmyHIaflKgT2bwEy6pgSXCqgGc3OxEVeQTaYo+CXeAYfthrv6v5dOUS/xPaQ1zxDvEZT5k9HBO+52FkOWqhv6qlZu0yQmo0ea4h9iQ8em9H+/LlCRnGKnJiQPSxwlx8P5slhEMxtGrQzZf2ejeYzv3v5EuKW2RyX4mTToVxkHKqXsYtu+ETDccBho4KEWvZ6771fDp0f97S+64NMQR2/wL+FGKLyXlSpRADe1IRBWVB9TnmVt1siex/BT6vw2BvdfksztGF3JDa7c7PtvurWAEiMDa7AqpDowoWAwYX2WJLcoA5IPzTtDTdm1RLIM0TAumFR/l30QtY6RV0XuqfC0eV6deYsKwadugJqQpzxdxvgJExho7OZyG1OrZjJQPtIxNraK7Sukl2zJIKCoHk17RhChg0=\",\"chain\":[\"MIIG2DCCBMCgAwIBAgIKYT+3GAAAAAAABDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTExMDE4MjI1NTE5WhcNMjYxMDE4MjMwNTE5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0AvApKgZgeI25eKq5fOyFVh1vrTlSfHghPm7DWTvhcGBVbjz5/FtQFU9zotq0YST9XV8W6TUdBDKMvMj067uz54EWMLZR8vRfABBSHEbAWcXGK/G/nMDfuTvQ5zvAXEqH4EmQ3eYVFdznVUr8J6OfQYOrBtU8yb3+CMIIoueBh03OP1y0srlY8GaWn2ybbNSqW7prrX8izb5nvr2HFgbl1alEeW3Utu76fBUv7T/LGy4XSbOoArX35Ptf92s8SxzGtkZN1W63SJ4jqHUmwn4ByIxcbCUruCw5yZEV5CBlxXOYexl4kvxhVIWMvi1eKp+zU3sgyGkqJu+mmoE4KMczVYYbP1rL0I+4jfycqvQeHNye97sAFjlITCjCDqZ75/D93oWlmW1w4Gv9DlwSa/2qfZqADj5tAgZ4Bo1pVZ2Il9q8mmuPq1YRk24VPaJQUQecrG8EidT0sH/ss1QmB619Lu2woI52awb8jsnhGqwxiYL1zoQ57PbfNNWrFNMC/o7MTd02Fkr+QB5GQZ7/RwdQtRBDS8FDtVrSSP/z834eoLP2jwt3+jYEgQYuh6Id7iYHxAHu8gFfgsJv2vd405bsPnHhKY7ykyfW2Ip98eiqJWIcCzlwT88UiNPQJrDMYWDL78p8R1QjyGWB87v8oDCRH2bYu8vw3eJq0VNUz4CedMCAwEAAaOCAUswggFHMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBQ2VollSctbmy88rEIWUE2RuTPXkTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQBByGHB9VuePpEx8bDGvwkBtJ22kHTXCdumLg2fyOd2NEavB2CJTIGzPNX0EjV1wnOl9U2EjMukXa+/kvYXCFdClXJlBXZ5re7RurguVKNRB6xo6yEM4yWBws0q8sP/z8K9SRiax/CExfkUvGuV5Zbvs0LSU9VKoBLErhJ2UwlWDp3306ZJiFDyiiyXIKK+TnjvBWW3S6EWiN4xxwhCJHyke56dvGAAXmKX45P8p/5beyXf5FN/S77mPvDbAXlCHG6FbH22RDD7pTeSk7Kl7iCtP1PVyfQoa1fB+B1qt1YqtieBHKYtn+f00DGDl6gqtqy+G0H15IlfVvvaWtNefVWUEH5TV/RKPUAqyL1nn4ThEO792msVgkn8Rh3/RQZ0nEIU7cU507PNC4MnkENRkvJEgq5umhUXshn6x0VsmAF7vzepsIikkrw4OOAd5HyXmBouX+84Zbc1L71/TyH6xIzSbwb5STXq3yAPJarqYKssH0uJ/Lf6XFSQSz6iKE9s5FJlwf2QHIWCiG7pplXdISh5RbAU5QrM5l/Eu9thNGmfrCY498EpQQgVLkyg9/kMPt5fqwgJLYOsrDSDYvTJSUKJJbVuskfFszmgsSAbLLGOBG+lMEkc0EbpQFv0rW6624JKhxJKgAlN2992uQVbG+C7IHBfACXH0w76Fq17Ip5xCA==\",\"MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwMzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFLh93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3sMJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTeacY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfPSRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kUBU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIBAH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biRnhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8hIr1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmmZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09Rs1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dySTclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQSB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH\"]}"
  2⤵
  PID:3632
- C:\Windows\System32\sc.exe
  C:\Windows\System32\sc.exe query "SENSE"
  2⤵
  - Launches sc.exe
  PID:4548
- C:\Windows\System32\find.exe
  C:\Windows\System32\find.exe /i "RUNNING"
  2⤵
  PID:4196
- C:\Windows\System32\net.exe
  C:\Windows\System32\net.exe start sense
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sense
    3⤵
    PID:3576
- C:\Windows\System32\find.exe
  C:\Windows\System32\find.exe /i "RUNNING"
  2⤵
  PID:1016
- C:\Windows\System32\sc.exe
  C:\Windows\System32\sc.exe query "SENSE"
  2⤵
  - Launches sc.exe
  PID:1064
- C:\Windows\System32\timeout.exe
  C:\Windows\System32\timeout.exe 5
  2⤵
  - Delays execution with timeout.exe
  PID:2600
- C:\Windows\System32\sc.exe
  C:\Windows\System32\sc.exe query "SENSE"
  2⤵
  - Launches sc.exe
  PID:1428
- C:\Windows\System32\find.exe
  C:\Windows\System32\find.exe /i "RUNNING"
  2⤵
  PID:2664
- C:\Windows\System32\timeout.exe
  C:\Windows\System32\timeout.exe 5
  2⤵
  - Delays execution with timeout.exe
  PID:668
- C:\Windows\System32\sc.exe
  C:\Windows\System32\sc.exe query "SENSE"
  2⤵
  - Launches sc.exe
  PID:3284
- C:\Windows\System32\find.exe
  C:\Windows\System32\find.exe /i "RUNNING"
  2⤵
  PID:3776
- C:\Windows\System32\timeout.exe
  C:\Windows\System32\timeout.exe 5
  2⤵
  - Delays execution with timeout.exe
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES44B5.tmp

Filesize
1KB

MD5
81342c9f7959391ecb839d630f4ce866

SHA1
00fe3a69c1f0abd481e7046137aa6c11f3631c82

SHA256
d1744b847bb305ab3e22a43be16caa46ab99472fddc62508367c1d07192e3614

SHA512
e58e14713d540a3c99cbde9771a0e2df979f22fcda4d3f344b007ae7a756f0b857059b5c0888c0ac35f7f8f6fd5ef20a1762ff02df59f620cc709e4d1014d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kn30qfzq.mh3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wihw0epj\wihw0epj.dll

Filesize
4KB

MD5
4bd7797a1c1865d66013c70d8add1382

SHA1
d4f4f324bbd450221d75e5287647f71a1526b7f4

SHA256
ece63407aae054a4416cca580027a362707f20b4497e6b9cc44d057a7364756e

SHA512
b7b7830ec31f8129045b0c10fb4deef76845c170db522330c85c900408de82c122b6223046b5dd902ca948b7a97739804bfd6cf59fdc8197929cf33e6182cec4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wihw0epj\CSC14D3008A2AEA4CB9B081AD17A243C9A.TMP

Filesize
652B

MD5
ef5d17b8fc0232cd8120ba00daa49574

SHA1
63b1b012a61931a3412bf3ea487e3bbd7c559fdc

SHA256
6728bd90f0cc0af0f155308a7efc4c9cd41b3970dbbec37c75fc48ebf7976de5

SHA512
1f01c4414e80b2357792aea1d46015e37696e2c8f451c73f5ee5a60c6e0757140d8f1bf3864b338ac6ff488da79d9c091778a064541be11f8047cfecfab5efed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wihw0epj\wihw0epj.0.cs

Filesize
828B

MD5
6fd55e9d12cd585cefd6d0281e8b1702

SHA1
f9fefeb01781105d5a94d43793d334366073439e

SHA256
a35c0f7e148cfde26a37ccf1b4ea65107bc175b789ab9174a593eda8ece9a59f

SHA512
801baf22d5438043387d590f75b59d1fb45715b0b6f382f034e47d1a37a1979ee49fc22e7a55ae89c77c72f12d54a00b188b0d7c825505160b993fa7879103f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wihw0epj\wihw0epj.cmdline

Filesize
369B

MD5
cbb7f59893af77fd3774cf74c1452aab

SHA1
2d39e1966bf4397b8efbf0e29bc785c5598ac575

SHA256
9e2bd8e6e09f6f3dc3c9583e4c8ba9d1453324efafd3e3d67fc9b4736c8c7a64

SHA512
8faef554936884a0c23909a95fa4b9c16c6dae7985b3754ede03c87199a2d5e11c30da1c822a66e314e89b8a5f61f7f46f74fec7f98ba48e0c81e657305cbd37

Download Submit
memory/4868-12-0x00000244DC760000-0x00000244DC770000-memory.dmp

Filesize
64KB

Download
memory/4868-11-0x00000244DC760000-0x00000244DC770000-memory.dmp

Filesize
64KB

Download
memory/4868-10-0x00000244DC760000-0x00000244DC770000-memory.dmp

Filesize
64KB

Download
memory/4868-9-0x00007FFE43FB0000-0x00007FFE44A72000-memory.dmp

Filesize
10.8MB

Download
memory/4868-8-0x00000244DC7A0000-0x00000244DC7C2000-memory.dmp

Filesize
136KB

Download
memory/4868-25-0x00000244DC750000-0x00000244DC758000-memory.dmp

Filesize
32KB

Download
memory/4868-29-0x00007FFE43FB0000-0x00007FFE44A72000-memory.dmp

Filesize
10.8MB

Download