Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe
Resource
win7-20240221-en
General
-
Target
336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe
-
Size
161KB
-
MD5
26372b0b4b307a2d1b7ed4e6039ba23e
-
SHA1
423a2290db7b757245efc42327ac9667c0bd91c6
-
SHA256
336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69
-
SHA512
c0e868d9cfa9c843c12790a3e7a442117952039ebc6c1852b51c6f490d7429d6950fab1666f7d24d69ec90aad4420fa3c3575a12952e4bfdc116e1cd48356ad3
-
SSDEEP
1536:YY55gZdDecFo+b3K//ErpPriC8YEJfIHooSi6B35R5W3ScYCcojrECIMckz+rug:hiZUCzKhJfIHBs35npcYCcsECIMckz+
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/2160-17-0x0000000003C90000-0x0000000003DAB000-memory.dmp family_djvu behavioral2/memory/4704-18-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4704-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4704-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4704-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4704-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3476-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3476-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3476-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 11 IoCs
resource yara_rule behavioral2/memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3764-96-0x0000000004320000-0x0000000004C0B000-memory.dmp family_glupteba behavioral2/memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 10 IoCs
resource yara_rule behavioral2/memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 10 IoCs
resource yara_rule behavioral2/memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 10 IoCs
resource yara_rule behavioral2/memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 10 IoCs
resource yara_rule behavioral2/memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 10 IoCs
resource yara_rule behavioral2/memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/files/0x0008000000023204-356.dat UPX behavioral2/memory/3564-361-0x0000000000400000-0x00000000008DF000-memory.dmp UPX behavioral2/memory/2500-364-0x0000000000400000-0x00000000008DF000-memory.dmp UPX behavioral2/memory/2500-370-0x0000000000400000-0x00000000008DF000-memory.dmp UPX -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 224 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation AE60.exe -
Deletes itself 1 IoCs
pid Process 3416 Process not Found -
Executes dropped EXE 12 IoCs
pid Process 2160 AE60.exe 4704 AE60.exe 4072 AE60.exe 3476 AE60.exe 4820 FDD9.exe 3764 BA6.exe 3396 1BD4.exe 2412 BA6.exe 1612 csrss.exe 1960 injector.exe 3564 windefender.exe 2500 windefender.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3984 icacls.exe -
resource yara_rule behavioral2/files/0x0008000000023204-356.dat upx behavioral2/memory/3564-361-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2500-364-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2500-370-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6d8992a8-b344-4c75-9787-37dd025ff4c3\\AE60.exe\" --AutoStart" AE60.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" BA6.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 158 api.2ip.ua 156 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2160 set thread context of 4704 2160 AE60.exe 103 PID 4072 set thread context of 3476 4072 AE60.exe 107 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN BA6.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe BA6.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss BA6.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2076 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4512 3476 WerFault.exe 107 4072 3516 WerFault.exe 116 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4808 schtasks.exe 4476 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" BA6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" BA6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3628 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe 3628 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3628 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 3516 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 3764 BA6.exe Token: SeImpersonatePrivilege 3764 BA6.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 3984 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 4816 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 3904 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 4472 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeDebugPrivilege 1156 powershell.exe Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeSystemEnvironmentPrivilege 1612 csrss.exe Token: SeSecurityPrivilege 2076 sc.exe Token: SeSecurityPrivilege 2076 sc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3416 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3416 wrote to memory of 2160 3416 Process not Found 101 PID 3416 wrote to memory of 2160 3416 Process not Found 101 PID 3416 wrote to memory of 2160 3416 Process not Found 101 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 2160 wrote to memory of 4704 2160 AE60.exe 103 PID 4704 wrote to memory of 3984 4704 AE60.exe 104 PID 4704 wrote to memory of 3984 4704 AE60.exe 104 PID 4704 wrote to memory of 3984 4704 AE60.exe 104 PID 4704 wrote to memory of 4072 4704 AE60.exe 105 PID 4704 wrote to memory of 4072 4704 AE60.exe 105 PID 4704 wrote to memory of 4072 4704 AE60.exe 105 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 4072 wrote to memory of 3476 4072 AE60.exe 107 PID 3416 wrote to memory of 4820 3416 Process not Found 111 PID 3416 wrote to memory of 4820 3416 Process not Found 111 PID 3416 wrote to memory of 4820 3416 Process not Found 111 PID 3416 wrote to memory of 684 3416 Process not Found 112 PID 3416 wrote to memory of 684 3416 Process not Found 112 PID 684 wrote to memory of 3152 684 cmd.exe 114 PID 684 wrote to memory of 3152 684 cmd.exe 114 PID 3416 wrote to memory of 3764 3416 Process not Found 115 PID 3416 wrote to memory of 3764 3416 Process not Found 115 PID 3416 wrote to memory of 3764 3416 Process not Found 115 PID 3764 wrote to memory of 3516 3764 BA6.exe 116 PID 3764 wrote to memory of 3516 3764 BA6.exe 116 PID 3764 wrote to memory of 3516 3764 BA6.exe 116 PID 3416 wrote to memory of 3396 3416 Process not Found 118 PID 3416 wrote to memory of 3396 3416 Process not Found 118 PID 2412 wrote to memory of 8 2412 BA6.exe 124 PID 2412 wrote to memory of 8 2412 BA6.exe 124 PID 2412 wrote to memory of 8 2412 BA6.exe 124 PID 2412 wrote to memory of 1236 2412 BA6.exe 126 PID 2412 wrote to memory of 1236 2412 BA6.exe 126 PID 1236 wrote to memory of 224 1236 cmd.exe 128 PID 1236 wrote to memory of 224 1236 cmd.exe 128 PID 2412 wrote to memory of 3984 2412 BA6.exe 129 PID 2412 wrote to memory of 3984 2412 BA6.exe 129 PID 2412 wrote to memory of 3984 2412 BA6.exe 129 PID 2412 wrote to memory of 4816 2412 BA6.exe 131 PID 2412 wrote to memory of 4816 2412 BA6.exe 131 PID 2412 wrote to memory of 4816 2412 BA6.exe 131 PID 2412 wrote to memory of 1612 2412 BA6.exe 133 PID 2412 wrote to memory of 1612 2412 BA6.exe 133 PID 2412 wrote to memory of 1612 2412 BA6.exe 133 PID 1612 wrote to memory of 3904 1612 csrss.exe 134 PID 1612 wrote to memory of 3904 1612 csrss.exe 134 PID 1612 wrote to memory of 3904 1612 csrss.exe 134 PID 1612 wrote to memory of 4472 1612 csrss.exe 139 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe"C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3628
-
C:\Users\Admin\AppData\Local\Temp\AE60.exeC:\Users\Admin\AppData\Local\Temp\AE60.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\AE60.exeC:\Users\Admin\AppData\Local\Temp\AE60.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6d8992a8-b344-4c75-9787-37dd025ff4c3" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\AE60.exe"C:\Users\Admin\AppData\Local\Temp\AE60.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\AE60.exe"C:\Users\Admin\AppData\Local\Temp\AE60.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 5685⤵
- Program crash
PID:4512
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3476 -ip 34761⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\FDD9.exeC:\Users\Admin\AppData\Local\Temp\FDD9.exe1⤵
- Executes dropped EXE
PID:4820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\174.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3152
-
-
C:\Users\Admin\AppData\Local\Temp\BA6.exeC:\Users\Admin\AppData\Local\Temp\BA6.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 24963⤵
- Program crash
PID:4072
-
-
-
C:\Users\Admin\AppData\Local\Temp\BA6.exe"C:\Users\Admin\AppData\Local\Temp\BA6.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:224
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4476
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4416
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1BD4.exeC:\Users\Admin\AppData\Local\Temp\1BD4.exe1⤵
- Executes dropped EXE
PID:3396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3516 -ip 35161⤵PID:4180
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.6MB
MD50081df746d75e350b73b1657e6fba9a8
SHA18ccb0eb4d6e68dfee2e1025faba62676a036d3b6
SHA256f40e93c8dffce686a76677574afa472fa1083088d43e1c9e022d64abad0f4146
SHA51226d6f35778e41fe6ff14d426af45b26b452a683f9a1737bdae21c05262dfb65618169b34275f9df69b68d6c41a87b6d259406e11feb1ab11e2b0f916b9958ca0
-
Filesize
2.6MB
MD5c7ef32eedfb940964ab274fe65ef863f
SHA123032f5869cadc3711b9a7089aaec15d2727ff33
SHA256fae7d1e4f7ac2797d2b2e4bdd814236bcdb1f6e7b58d7ec027e5fd9d8043579d
SHA512eb7ebd37fcb51dd4dbb243cfc86993d65ba28ff6d5548a6728329a51245610c561810e5f2e9f0c8031ea8c75a200f65e2b5d4634889433afbb0717da692fcddd
-
Filesize
709KB
MD5b4496d2224777403415440dfe5f13a86
SHA15c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA5120bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158
-
Filesize
4.1MB
MD51047d7617f162d488920965b0a8b876c
SHA1059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA25658b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac
-
Filesize
6.7MB
MD574cf066c5c492eb825b36550b1e38326
SHA18f211213fbd6905b5e44bf2af07e481832198a7f
SHA25624201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA51224ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD591a3f972254aa432cc7e8ed2a3fb9f5f
SHA1225177f510fc2e81e587020d00f2cfb2732f5315
SHA256d61ac12cd944b0f17b19f6a16002c6cca960c28accce44ecb03d124cdd86631f
SHA5127ea14a012efab3d26f4fa4a49303e06313f694f33506324da8c13b8b66ff46800c4889e9acfd3688441ec930968d7bf3f42c714bed7c98eee1820b06ad9531af
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57ffd92edc796dfe039ddc0fcc9198fee
SHA10f29f5aec17d91d6971c6ef8a00fd85e568bf374
SHA256dc1ad90e8c1f4df414728e49877d89edc59c7db3c9ee86791c447d612ab9b3b7
SHA512dc9aed3b0fc37d40bcf6d131f0622d515e518bf3e6aee2cee48cfcf04deebf32af8ad8f5390a26178defd1b86d58b61ee737997053aae369c4ba27ec030d5aa2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD548f6b6571e047927fa861b119b168571
SHA1cf8147ca8f2860be7a13f88bffb1734911fcfff7
SHA256a21e09f2b6a36f51e9704bad8d85826e257a0a5caf1f56ccf513dfad1391943e
SHA512ba362880c6ff6f68ec275f03729448d42c20b4d0c46521b44d6c429a05246efe9729f5d271d3cf359bb135b6dd2a1a35c9c320c90b657a402933e657d0771f2f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5598e3c2206a47302d53ed4dd572a52b6
SHA1865d32124075db660e480e0e415dfd8afb804346
SHA256fb4e75453d80cab3accdcca0189c31c10eedc364ec44dfeddc97ebfd34258f4f
SHA512fd911e297def311c7eb756cf97bc2f3bcac0099039f01dbe4ed4cc1d2ce4db35f705fdbcea7509bc729562e50a4a2a969772d8fbe5cdb3f0f30e96208bbc644d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD591cd7911a4f06d3a85122f3619fa1f6e
SHA1ced2107ecb80fac8faa3c1261b1e7ea1203967e1
SHA2561ea0f323ab85d39ec98cc3478dd76079967ea6e3efdc387ba45b239f1c735d79
SHA5126cf55fcbe0c47148499d179ff7facc8417a00add6f3ea17bb6c57cb1afe1e3efd2e29a3c8fece6afa5939cb48b61d2897ec13e17d04be941b84c38e5e7056128
-
Filesize
896KB
MD5e2fa77d881933ea644c3edd1c96d70d5
SHA1b1853d17f7559c44f9d3f678918352422ff17915
SHA256220855025402eab41b35b82fdcd0cd8b97d7a1b1153255f4319286c3ab4cb532
SHA5124979b6ef65545b81dd90b702781020dda0064c709246bc368587bd92ac36eeeff87d7987cc2278951764af6c812e2d8e60f6dc40b8a3fa7ba06fd7bcc03aaf74
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec