6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6

Analysis

max time kernel
57s
max time network
145s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
Size

2.8MB
MD5

ffa9de7e1099b646dd55d1245bbbe4e4
SHA1

c189bf90d44bdc77e44ba0bb8c12f98ef4d79993
SHA256

6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6
SHA512

49d52955833b59810b0227b27a02ead5c8f0b4be3432f59898e3868e5fc3b2c1b33cce277f68ed22c107b04eee2a79c1663d0e5adfce2468f5fc3d8b250163ee
SSDEEP

49152:cPb5azQk6yxs+g8R3m5Vy5lQKQSdVbGBewI27SgnXF47VyK1/5GpBc3:mb5azx6X+gi3m5ZKQSdVqB9I27S2XF4n

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
2356	htkukoroedzb.exe
2452	htkukoroedzb.exe

Loads dropped DLL 2 IoCs

pid	Process
480	services.exe
480	services.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	htkukoroedzb.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 2356 set thread context of 3056	2356	htkukoroedzb.exe	68
PID 2356 set thread context of 1424	2356	htkukoroedzb.exe	69

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2972	sc.exe
2612	sc.exe
2820	sc.exe
2372	sc.exe
896	sc.exe
2132	sc.exe
2312	sc.exe
2672	sc.exe
1568	sc.exe
908	sc.exe
1652	sc.exe
268	sc.exe
1552	sc.exe
272	sc.exe
1896	sc.exe
2392	sc.exe
2876	sc.exe
896	sc.exe
1288	sc.exe
2060	sc.exe
2420	sc.exe
2648	sc.exe
1364	sc.exe
2544	sc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40beec06456fda01	powershell.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
2960	powershell.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
2440	dialer.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
2440	dialer.exe
2440	dialer.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
2356	htkukoroedzb.exe
1892	powershell.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
2356	htkukoroedzb.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
3056	dialer.exe
2356	htkukoroedzb.exe
1424	dialer.exe
2968	powershell.exe
1424	dialer.exe
2452	htkukoroedzb.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
Token: SeDebugPrivilege	2440	dialer.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2356	htkukoroedzb.exe
Token: SeDebugPrivilege	3056	dialer.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2968	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2548	2540	cmd.exe	35
PID 2540 wrote to memory of 2548	2540	cmd.exe	35
PID 2540 wrote to memory of 2548	2540	cmd.exe	35
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 1924 wrote to memory of 2440	1924	6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe	43
PID 2440 wrote to memory of 432	2440	dialer.exe	5
PID 2440 wrote to memory of 480	2440	dialer.exe	6
PID 2440 wrote to memory of 488	2440	dialer.exe	7
PID 480 wrote to memory of 2356	480	services.exe	52
PID 480 wrote to memory of 2356	480	services.exe	52
PID 480 wrote to memory of 2356	480	services.exe	52
PID 2440 wrote to memory of 2356	2440	dialer.exe	52
PID 2440 wrote to memory of 496	2440	dialer.exe	8
PID 2440 wrote to memory of 600	2440	dialer.exe	9
PID 2440 wrote to memory of 676	2440	dialer.exe	10
PID 2440 wrote to memory of 752	2440	dialer.exe	11
PID 2440 wrote to memory of 812	2440	dialer.exe	12
PID 2440 wrote to memory of 848	2440	dialer.exe	13
PID 2440 wrote to memory of 964	2440	dialer.exe	15
PID 2440 wrote to memory of 108	2440	dialer.exe	16
PID 1056 wrote to memory of 2112	1056	cmd.exe	59
PID 1056 wrote to memory of 2112	1056	cmd.exe	59
PID 1056 wrote to memory of 2112	1056	cmd.exe	59
PID 2440 wrote to memory of 348	2440	dialer.exe	17
PID 2440 wrote to memory of 1060	2440	dialer.exe	18
PID 2440 wrote to memory of 1124	2440	dialer.exe	19
PID 2440 wrote to memory of 1140	2440	dialer.exe	20
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 3056	2356	htkukoroedzb.exe	68
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 1424	2356	htkukoroedzb.exe	69
PID 2356 wrote to memory of 2784	2356	htkukoroedzb.exe	70
PID 2356 wrote to memory of 2784	2356	htkukoroedzb.exe	70
PID 3056 wrote to memory of 432	3056	dialer.exe	5
PID 2356 wrote to memory of 2784	2356	htkukoroedzb.exe	70
PID 2356 wrote to memory of 2784	2356	htkukoroedzb.exe	70
PID 3056 wrote to memory of 480	3056	dialer.exe	6
PID 848 wrote to memory of 2404	848	svchost.exe	73
PID 848 wrote to memory of 2404	848	svchost.exe	73
PID 848 wrote to memory of 2404	848	svchost.exe	73
PID 3056 wrote to memory of 488	3056	dialer.exe	7
PID 3056 wrote to memory of 496	3056	dialer.exe	8
PID 3056 wrote to memory of 600	3056	dialer.exe	9
PID 3056 wrote to memory of 676	3056	dialer.exe	10
PID 3056 wrote to memory of 752	3056	dialer.exe	11

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1124
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:2404
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:348
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1060
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1140
- C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe
  C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2112
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:908
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1652
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1288
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe
      "C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2452
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        
        PID:2392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1352
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:312
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2372
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2648
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:268
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1552
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:896
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:1240
    - - C:\Windows\system32\dialer.exe
        
        dialer.exe
        5⤵
        
        PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:1232
  - - C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe
      "C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe"
      4⤵
      PID:2568
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        
        PID:2400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2324
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:1452
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2132
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1364
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:272
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2060
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2312
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:1400
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:2784

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe
"C:\Users\Admin\AppData\Local\Temp\6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2548
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2544
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2612
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2420
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "IOAOSJPS"
  2⤵
  - Launches sc.exe
  PID:2392
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "IOAOSJPS" binpath= "C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "IOAOSJPS"
  2⤵
  - Launches sc.exe
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\acoqdtfjxomu\htkukoroedzb.exe

Filesize
1024KB

MD5
c5853573eeba24331da4688d54108041

SHA1
f5699c59aeed8738b49277ebba99f7faa5747bec

SHA256
27987e3dcaa79f1093fe5023466c9b8ab0069595e41d7bc1f00311dd5be8edff

SHA512
5388d9cc63ee802e2e7b2f7e80afaed8832e370cf8aaf1145a0f4733bdbb412d2388304c8c978ba16dc971668489763b0ce9709bd91521d8cd30fead0d0cb978

Download Submit
C:\Windows\TEMP\ntrghywhzxzp.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\ProgramData\acoqdtfjxomu\htkukoroedzb.exe

Filesize
2.8MB

MD5
ffa9de7e1099b646dd55d1245bbbe4e4

SHA1
c189bf90d44bdc77e44ba0bb8c12f98ef4d79993

SHA256
6c5c73f1bd61c9281d05d5eab840eb689fe63ec15977cc60012ce5c7184042b6

SHA512
49d52955833b59810b0227b27a02ead5c8f0b4be3432f59898e3868e5fc3b2c1b33cce277f68ed22c107b04eee2a79c1663d0e5adfce2468f5fc3d8b250163ee

Download Submit
memory/108-139-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/108-125-0x0000000000EF0000-0x0000000000F1B000-memory.dmp

Filesize
172KB

Download
memory/348-136-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/432-33-0x0000000077601000-0x0000000077602000-memory.dmp

Filesize
4KB

Download
memory/432-196-0x0000000000390000-0x00000000003BB000-memory.dmp

Filesize
172KB

Download
memory/432-29-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/432-24-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/432-32-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/432-26-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/432-27-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/432-28-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/480-201-0x0000000000CA0000-0x0000000000CCB000-memory.dmp

Filesize
172KB

Download
memory/480-38-0x0000000000060000-0x000000000008B000-memory.dmp

Filesize
172KB

Download
memory/480-100-0x0000000000060000-0x000000000008B000-memory.dmp

Filesize
172KB

Download
memory/480-40-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/480-41-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/488-217-0x0000000000A20000-0x0000000000A4B000-memory.dmp

Filesize
172KB

Download
memory/488-62-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/488-72-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/488-67-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/488-63-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/496-75-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/496-74-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/496-162-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/496-219-0x00000000004F0000-0x000000000051B000-memory.dmp

Filesize
172KB

Download
memory/496-73-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/496-69-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/600-80-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/600-79-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/600-82-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/600-234-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/600-175-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/676-94-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/676-88-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/676-176-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download
memory/676-86-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download
memory/752-92-0x0000000000D00000-0x0000000000D2B000-memory.dmp

Filesize
172KB

Download
memory/752-98-0x000007FEBF560000-0x000007FEBF570000-memory.dmp

Filesize
64KB

Download
memory/752-223-0x0000000000D00000-0x0000000000D2B000-memory.dmp

Filesize
172KB

Download
memory/752-101-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/812-225-0x0000000000C10000-0x0000000000C3B000-memory.dmp

Filesize
172KB

Download
memory/812-99-0x0000000000C10000-0x0000000000C3B000-memory.dmp

Filesize
172KB

Download
memory/812-114-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/812-105-0x0000000000C10000-0x0000000000C3B000-memory.dmp

Filesize
172KB

Download
memory/848-154-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/848-230-0x0000000000CF0000-0x0000000000D1B000-memory.dmp

Filesize
172KB

Download
memory/848-110-0x0000000000CF0000-0x0000000000D1B000-memory.dmp

Filesize
172KB

Download
memory/964-131-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/964-120-0x0000000000ED0000-0x0000000000EFB000-memory.dmp

Filesize
172KB

Download
memory/1060-146-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/1060-143-0x0000000002120000-0x000000000214B000-memory.dmp

Filesize
172KB

Download
memory/1124-150-0x0000000002120000-0x000000000214B000-memory.dmp

Filesize
172KB

Download
memory/1140-158-0x00000000002A0000-0x00000000002CB000-memory.dmp

Filesize
172KB

Download
memory/1140-160-0x00000000375F0000-0x0000000037600000-memory.dmp

Filesize
64KB

Download
memory/1892-54-0x0000000019FE0000-0x000000001A2C2000-memory.dmp

Filesize
2.9MB

Download
memory/1892-58-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1892-61-0x0000000001480000-0x0000000001500000-memory.dmp

Filesize
512KB

Download
memory/1892-59-0x0000000001480000-0x0000000001500000-memory.dmp

Filesize
512KB

Download
memory/1892-91-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1892-57-0x0000000001480000-0x0000000001500000-memory.dmp

Filesize
512KB

Download
memory/1892-55-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1892-60-0x0000000001480000-0x0000000001500000-memory.dmp

Filesize
512KB

Download
memory/1892-56-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/2356-53-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/2440-66-0x00000000775B0000-0x0000000077759000-memory.dmp

Filesize
1.7MB

Download
memory/2440-18-0x00000000775B0000-0x0000000077759000-memory.dmp

Filesize
1.7MB

Download
memory/2440-13-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-14-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-20-0x0000000077490000-0x00000000775AF000-memory.dmp

Filesize
1.1MB

Download
memory/2440-12-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-15-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-21-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-17-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2960-11-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-9-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2960-7-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2960-10-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/2960-4-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-5-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/2960-6-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-210-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-213-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/2968-211-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/2968-206-0x0000000000F10000-0x0000000000F90000-memory.dmp

Filesize
512KB

Download
memory/2968-204-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-218-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-184-0x0000000077490000-0x00000000775AF000-memory.dmp

Filesize
1.1MB

Download
memory/3056-181-0x00000000775B0000-0x0000000077759000-memory.dmp

Filesize
1.7MB

Download