Resubmissions
29-02-2024 16:06
240229-tkj21sdh7t 1027-02-2024 13:03
240227-qat8fshe55 1027-02-2024 13:01
240227-p8648shh9w 1024-02-2024 15:38
240224-s2555sge7w 1023-02-2024 17:47
240223-wddmrsfc51 1023-02-2024 16:46
240223-t9yxgaee2z 1023-02-2024 14:52
240223-r81nkacd4t 1023-02-2024 14:41
240223-r2gbcabb95 1023-02-2024 14:40
240223-r1195acb5s 1023-02-2024 13:27
240223-qp9xfsge5t 10Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 13:01
Static task
static1
Behavioral task
behavioral1
Sample
6958ACC382E71103A0B83D20BBBB37D2.exe
Resource
win10v2004-20240226-en
General
-
Target
6958ACC382E71103A0B83D20BBBB37D2.exe
-
Size
232KB
-
MD5
6958acc382e71103a0b83d20bbbb37d2
-
SHA1
65bf64dfcabf7bc83e47ffc4360cda022d4dab34
-
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
-
SHA512
ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae
-
SSDEEP
3072:FdfbYSFlTBL/A9OYh6++4hY7gfv9yPQxAVUmZAzsqvj1letKv/jbNRKCnrQbW:PbYSFH/AYYh9vERVUmSAQj1la9
Malware Config
Extracted
smokeloader
tfd5
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
https://resergvearyinitiani.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exeC620.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3074f8d-3146-4d14-9731-666ebdb3c4f1\\C620.exe\" --AutoStart" C620.exe 1176 schtasks.exe 228 schtasks.exe -
Detect ZGRat V1 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\74F4.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\74F4.exe family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
Processes:
resource yara_rule behavioral1/memory/3004-21-0x00000000038F0000-0x0000000003A0B000-memory.dmp family_djvu behavioral1/memory/1848-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1848-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1848-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1848-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1848-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2832-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2832-45-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2832-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/876-105-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/876-106-0x0000000003F10000-0x00000000047FB000-memory.dmp family_glupteba behavioral1/memory/876-159-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/236-161-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/236-206-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/236-251-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/236-270-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/4156-339-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/4156-405-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral1/memory/4156-428-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
MsBuild.exedescription pid process target process PID 3068 created 2540 3068 MsBuild.exe sihost.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1156 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C620.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C620.exe -
Deletes itself 1 IoCs
Processes:
pid process 3396 -
Executes dropped EXE 14 IoCs
Processes:
C620.exeC620.exeC620.exeC620.exeD97A.exe124E.exe223E.exe223E.exe566E.exe74F4.execsrss.exeinjector.exewindefender.exewindefender.exepid process 3004 C620.exe 1848 C620.exe 3772 C620.exe 2832 C620.exe 2580 D97A.exe 4140 124E.exe 876 223E.exe 236 223E.exe 4364 566E.exe 4400 74F4.exe 4156 csrss.exe 1128 injector.exe 4916 windefender.exe 4560 windefender.exe -
Loads dropped DLL 2 IoCs
Processes:
74F4.exetaskmgr.exepid process 4400 74F4.exe 3592 taskmgr.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Processes:
resource yara_rule C:\Windows\windefender.exe upx behavioral1/memory/4916-426-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
C620.exe223E.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3074f8d-3146-4d14-9731-666ebdb3c4f1\\C620.exe\" --AutoStart" C620.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 223E.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.2ip.ua 41 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
C620.exeC620.exeD97A.exe74F4.exedescription pid process target process PID 3004 set thread context of 1848 3004 C620.exe C620.exe PID 3772 set thread context of 2832 3772 C620.exe C620.exe PID 2580 set thread context of 1744 2580 D97A.exe RegAsm.exe PID 4400 set thread context of 3068 4400 74F4.exe MsBuild.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
223E.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 223E.exe -
Drops file in Windows directory 4 IoCs
Processes:
223E.execsrss.exedescription ioc process File opened for modification C:\Windows\rss 223E.exe File created C:\Windows\rss\csrss.exe 223E.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4732 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2132 2832 WerFault.exe C620.exe 5080 3068 WerFault.exe MsBuild.exe 3132 3068 WerFault.exe MsBuild.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exetaskmgr.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1176 schtasks.exe 228 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
223E.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 223E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 223E.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exepid process 1128 6958ACC382E71103A0B83D20BBBB37D2.exe 1128 6958ACC382E71103A0B83D20BBBB37D2.exe 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exepid process 3396 3592 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6958ACC382E71103A0B83D20BBBB37D2.exepid process 1128 6958ACC382E71103A0B83D20BBBB37D2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exepowershell.exe223E.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid process Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 3592 taskmgr.exe Token: SeSystemProfilePrivilege 3592 taskmgr.exe Token: SeCreateGlobalPrivilege 3592 taskmgr.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 380 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 876 223E.exe Token: SeImpersonatePrivilege 876 223E.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 2580 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 2952 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 812 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 4384 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 2148 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeSystemEnvironmentPrivilege 4156 csrss.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeSecurityPrivilege 4732 sc.exe Token: SeSecurityPrivilege 4732 sc.exe Token: SeShutdownPrivilege 3396 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3396 3396 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe 3592 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeC620.exeC620.exeC620.exeD97A.execmd.exe223E.exe223E.exedescription pid process target process PID 3396 wrote to memory of 4812 3396 cmd.exe PID 3396 wrote to memory of 4812 3396 cmd.exe PID 4812 wrote to memory of 1644 4812 cmd.exe reg.exe PID 4812 wrote to memory of 1644 4812 cmd.exe reg.exe PID 3396 wrote to memory of 3004 3396 C620.exe PID 3396 wrote to memory of 3004 3396 C620.exe PID 3396 wrote to memory of 3004 3396 C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 3004 wrote to memory of 1848 3004 C620.exe C620.exe PID 1848 wrote to memory of 2424 1848 C620.exe icacls.exe PID 1848 wrote to memory of 2424 1848 C620.exe icacls.exe PID 1848 wrote to memory of 2424 1848 C620.exe icacls.exe PID 1848 wrote to memory of 3772 1848 C620.exe C620.exe PID 1848 wrote to memory of 3772 1848 C620.exe C620.exe PID 1848 wrote to memory of 3772 1848 C620.exe C620.exe PID 3396 wrote to memory of 3592 3396 taskmgr.exe PID 3396 wrote to memory of 3592 3396 taskmgr.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3772 wrote to memory of 2832 3772 C620.exe C620.exe PID 3396 wrote to memory of 2580 3396 D97A.exe PID 3396 wrote to memory of 2580 3396 D97A.exe PID 3396 wrote to memory of 2580 3396 D97A.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 2580 wrote to memory of 1744 2580 D97A.exe RegAsm.exe PID 3396 wrote to memory of 4140 3396 124E.exe PID 3396 wrote to memory of 4140 3396 124E.exe PID 3396 wrote to memory of 4140 3396 124E.exe PID 3396 wrote to memory of 3668 3396 cmd.exe PID 3396 wrote to memory of 3668 3396 cmd.exe PID 3668 wrote to memory of 3200 3668 cmd.exe reg.exe PID 3668 wrote to memory of 3200 3668 cmd.exe reg.exe PID 3396 wrote to memory of 876 3396 223E.exe PID 3396 wrote to memory of 876 3396 223E.exe PID 3396 wrote to memory of 876 3396 223E.exe PID 876 wrote to memory of 380 876 223E.exe powershell.exe PID 876 wrote to memory of 380 876 223E.exe powershell.exe PID 876 wrote to memory of 380 876 223E.exe powershell.exe PID 236 wrote to memory of 1152 236 223E.exe powershell.exe PID 236 wrote to memory of 1152 236 223E.exe powershell.exe PID 236 wrote to memory of 1152 236 223E.exe powershell.exe PID 3396 wrote to memory of 4364 3396 566E.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2540
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFF7.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\C620.exeC:\Users\Admin\AppData\Local\Temp\C620.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\C620.exeC:\Users\Admin\AppData\Local\Temp\C620.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c3074f8d-3146-4d14-9731-666ebdb3c4f1" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\C620.exe"C:\Users\Admin\AppData\Local\Temp\C620.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\C620.exe"C:\Users\Admin\AppData\Local\Temp\C620.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 5685⤵
- Program crash
PID:2132
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2832 -ip 28321⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\D97A.exeC:\Users\Admin\AppData\Local\Temp\D97A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\124E.exeC:\Users\Admin\AppData\Local\Temp\124E.exe1⤵
- Executes dropped EXE
PID:4140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1656.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3200
-
-
C:\Users\Admin\AppData\Local\Temp\223E.exeC:\Users\Admin\AppData\Local\Temp\223E.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\223E.exe"C:\Users\Admin\AppData\Local\Temp\223E.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4948
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1156
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1176
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4604
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:1128
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:228
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4612
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\566E.exeC:\Users\Admin\AppData\Local\Temp\566E.exe1⤵
- Executes dropped EXE
PID:4364
-
C:\Users\Admin\AppData\Local\Temp\74F4.exeC:\Users\Admin\AppData\Local\Temp\74F4.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 4363⤵
- Program crash
PID:5080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 4323⤵
- Program crash
PID:3132
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3068 -ip 30681⤵PID:2604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3068 -ip 30681⤵PID:2312
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
4.1MB
MD536ec1d695debbe79b89bc646488a56f1
SHA1ca67c404f7f2f79f1d09b1b4b82e457044ba434e
SHA25614f09227c447c380b59dc42155e0e8a1cdddecc35ec6c29a7f05c0b4a0101c39
SHA512b4ae53dabbe3bcd9a8a530e036cbf0693936811fb2edbd826d69777114915f5e9134365e6f0b7725090b7600666d0f1dcb303785c161a8f6ae0ac3971008c8e6
-
Filesize
832KB
MD5435f7f4c2ae0a571e87ad16e1bfa40ca
SHA1afc7d122eccd2d7e8f24bc4f112c9e63394d5fd9
SHA2563ba02dee4a8dd896dbf3f96a349eb985c40e656c2b3c024ce9d0b1131d3e83d5
SHA5128f4aa0d318e55020122b3e77ed2f05b1d49d52ed6aea95d54d9ef1ea6fab936561a43b0ad9ea8f4dabc3ea611828003a6aa76babd0fd74d5a61b161c469b0419
-
Filesize
2.2MB
MD5c00114cd21c605efb9f433a0a026d92d
SHA191266036843eb217edba0ab5728a1ea4e0577597
SHA2561fc7c3d55e038721889650c9cdf34b34a302892586756d2f2e4d8b3b9d1ecc9f
SHA512b98bd8ac8cd00cc574b61d96cebf0937796d880505567e63d11febaa1dcbceade0a725ab8051c5581a7922f7e37a71147e002c8e181fdc9da641e28ae6246a46
-
Filesize
2.1MB
MD5e7f70b105895c26348f294da022b2f4c
SHA13c6ae92936678283f7832af1672fadcb791a4b65
SHA256fbc6d99493d49dd260116d48e9a6e01d33ab6716e460fd4b16dfecb2c7b8907f
SHA512637dc2dc0347d11a1bafe66c0a7eaa64fd661c51f296bec52925502a24138caed7450b368738447779e7ca45d926325e078344a2021c3cdd1ca24654892d91df
-
Filesize
5.2MB
MD5d82368b2841957964ee318e819f2c72f
SHA1433744fd3d02ec787ee4bf1ff0be7c27513e9faa
SHA256f3aa50af194429085c751824c0826e2cd9a19d697bc2ef24e0c3c6d882cd876e
SHA5129039aa57de3300c0a0344bec68373ec5ab624565728346183c56f420d24b0fe525effb9abccdfebac9544100558e13582adaea60bd384e941ddc4500daac9325
-
Filesize
5.2MB
MD57187e773d67a78998b4ec28ea4ad5a7d
SHA1b1c56517ef7c0ee2be140dc9e0a12586be41d42e
SHA256c9fd37d414acf3b81e9b0e4bd3313349ca07a187c5cbbdbd8fa16c4b5f00c440
SHA5127e43b59770204e51852ca75d492702af5deeb2f41bd04ddab95e1eda6d5ac498b531a0f87748db19dc838912c7972a666c58426800086bf7b4517b4832475830
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
745KB
MD5a9760450802b7908bab3c4c8be1c9948
SHA13ea93e1f4a59a6bcd35d8160fe48acbb38c05ede
SHA256f96c9955e4f7adc63257a867ebc60d7216215fc3ca8b133fc59eac0ae42b3fdb
SHA51209bd5f5262489d6b9d3f15ceffda2b531e83ddc0d47ee4d302f55614cc21e504a3dee0699d6fa286de18b52d115c9d49a92df4aa62bccee545d2fa11a8832b3d
-
Filesize
297KB
MD59263197aa58e0e5bce76cce8f6323a9c
SHA106cf5f4f2c3b8a7cbf8064f15f4e6f988197470b
SHA256ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16
SHA512cdf2f98ac3aa9efddb8908ce1101f429bb390617638d3fdd1ad698fa03727c183879d68a4a1ee8b15a12b1f7c840b8d6df1f6fb63a95ff2ce8d0e5a40bd77fab
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56e5197e83053bfdbfefbf575b33ad342
SHA14efb146972457381eb519337a043ef3eec67f331
SHA2563273fb8023916231b005f00e5e4a07a2dcdeb3702969c46bc309a87bc4f2a20a
SHA5121c43793449cab1ed68ae464b20e59f80f727a39899c3a9d9afd3d7b76a560c490097b687a8cfeeeb5122ccf36cef6521c400ebde51f4ca5ec1c7bc7e5628f41c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57b31c2026205829baf7034c63bf3c1dd
SHA1c12c68bc59fb5e8aea5d0d85f1976b33fe2878c9
SHA2561b30281fef0a659697e57b34a411942a2cfa3f5c968370a740797a4737091240
SHA512f0520366b96fd5fed2ab31f1f3ac4a32c6068a4e572f448f49897771d93d14c7e3da440d7bb963baf8bf5ba7c13f6fa484a64003d83ea57d1db8e97eb957698f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52d83dfe0d422b31d9c18411557692ad4
SHA1b4c061dfd24093110240a6237c691257e4eac932
SHA2563e2a9e05fb0363bf31f8f73b1242513aa5259ab909f7242e0003560b4c521d4e
SHA512c010bddfede9284e508211e310a57c9a125423cab9ce65bbf4cf11a6cb60be2723230f66998614b92259b595636523797b3a3d00db0ba41f0b9f6046e615119c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e8ba664405a8c2e2ad407d671926faa8
SHA1cf4eddc8281f363fb6a27a9985d7aef3a387e54c
SHA25638ee0deac3c82a85d2591f476077b20ebb409c6a29d1b09cf1da786349a5f5d0
SHA512f84e678466b52e5b589f201790010ae269553728fd8545aeaf4b22530d474fbd9bf0e2e57fec1845732a5aa44532ca31b5ebc917a8f1abd784169c5361d15a22
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51c1ba60d59ccbf4bf9fc8ae998662680
SHA1a0e7e1ea3c426375492c6d914b0bac55e26190d7
SHA25617ca5127d09be58029f5f789350ed4e779674986f1e0884b658e6fe4fde64e8c
SHA512124e06d27fb5d43446d424e405b2fe514a7ff517aa41e1a874b1fa32d1192762b5ba221f1a6e46b34fe2473594755c1bf89bb3e5a040caad6194b956379dc4a4
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec