Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe
-
Size
451KB
-
MD5
85b28f9c06352d426df83b6f25a957f3
-
SHA1
d11ed3bee7fef2d60b6de1fbc539ef4d2c9265e9
-
SHA256
4b332741c9b18814b397445cf93d10515ca4d2b95fde05686e6583a42de37fc3
-
SHA512
370361dc0fee6f1aeea25fc1af732d4971ee1aee6d7de188c01b587c3135f0801b88ae6258ada95a397ecbc3bfa9b2087728bf5887580b0c41656c0b044e5435
-
SSDEEP
12288:wtQsjr1agUc7iGBDZyRrvgpTsdiIhSSyE/24v99P:a9jrQQuGirgp4diIhiPmH
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
Signatures
-
Phorphiex payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3047911394.exe family_phorphiex -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
1162928210.exewupgrdsv.exedescription pid process target process PID 1876 created 1240 1876 1162928210.exe Explorer.EXE PID 1876 created 1240 1876 1162928210.exe Explorer.EXE PID 2996 created 1240 2996 wupgrdsv.exe Explorer.EXE PID 2996 created 1240 2996 wupgrdsv.exe Explorer.EXE -
Processes:
3047911394.exesylsplvc.exe197762774.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 197762774.exe -
XMRig Miner payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2996-131-0x000000013F3F0000-0x000000013F966000-memory.dmp xmrig behavioral1/memory/2936-134-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2936-135-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
4B91.exesylsplvc.exe3047911394.exe197762774.exe211009282.exe1027232614.exe129495455.exe1162928210.exewupgrdsv.exepid process 2484 4B91.exe 2624 sylsplvc.exe 2412 3047911394.exe 484 197762774.exe 2824 211009282.exe 2084 1027232614.exe 2228 129495455.exe 1876 1162928210.exe 2996 wupgrdsv.exe -
Loads dropped DLL 11 IoCs
Processes:
85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exesylsplvc.exe197762774.exe129495455.exetaskeng.exepid process 2884 85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe 2884 85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe 2624 sylsplvc.exe 2624 sylsplvc.exe 2624 sylsplvc.exe 484 197762774.exe 484 197762774.exe 484 197762774.exe 484 197762774.exe 2228 129495455.exe 2604 taskeng.exe -
Processes:
sylsplvc.exe3047911394.exe197762774.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 3047911394.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 197762774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3047911394.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
4B91.exe3047911394.exe197762774.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe" 4B91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winknavrso.exe" 3047911394.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winknavrso.exe" 3047911394.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe" 197762774.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe" 197762774.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wupgrdsv.exedescription pid process target process PID 2996 set thread context of 2936 2996 wupgrdsv.exe notepad.exe -
Drops file in Windows directory 6 IoCs
Processes:
3047911394.exe197762774.exe4B91.exedescription ioc process File created C:\Windows\winknavrso.exe 3047911394.exe File opened for modification C:\Windows\winknavrso.exe 3047911394.exe File created C:\Windows\sysdinrdvs.exe 197762774.exe File opened for modification C:\Windows\sysdinrdvs.exe 197762774.exe File created C:\Windows\sylsplvc.exe 4B91.exe File opened for modification C:\Windows\sylsplvc.exe 4B91.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2536 schtasks.exe 2392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
1162928210.exepowershell.exewupgrdsv.exepowershell.exepid process 1876 1162928210.exe 1876 1162928210.exe 2964 powershell.exe 1876 1162928210.exe 1876 1162928210.exe 2996 wupgrdsv.exe 2996 wupgrdsv.exe 3000 powershell.exe 2996 wupgrdsv.exe 2996 wupgrdsv.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
3047911394.exe197762774.exepid process 2412 3047911394.exe 484 197762774.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exenotepad.exedescription pid process Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeLockMemoryPrivilege 2936 notepad.exe Token: SeLockMemoryPrivilege 2936 notepad.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
notepad.exepid process 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
notepad.exepid process 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe 2936 notepad.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe4B91.exesylsplvc.exe197762774.exe129495455.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exedescription pid process target process PID 2884 wrote to memory of 2484 2884 85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe 4B91.exe PID 2884 wrote to memory of 2484 2884 85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe 4B91.exe PID 2884 wrote to memory of 2484 2884 85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe 4B91.exe PID 2884 wrote to memory of 2484 2884 85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe 4B91.exe PID 2484 wrote to memory of 2624 2484 4B91.exe sylsplvc.exe PID 2484 wrote to memory of 2624 2484 4B91.exe sylsplvc.exe PID 2484 wrote to memory of 2624 2484 4B91.exe sylsplvc.exe PID 2484 wrote to memory of 2624 2484 4B91.exe sylsplvc.exe PID 2624 wrote to memory of 2412 2624 sylsplvc.exe 3047911394.exe PID 2624 wrote to memory of 2412 2624 sylsplvc.exe 3047911394.exe PID 2624 wrote to memory of 2412 2624 sylsplvc.exe 3047911394.exe PID 2624 wrote to memory of 2412 2624 sylsplvc.exe 3047911394.exe PID 2624 wrote to memory of 484 2624 sylsplvc.exe 197762774.exe PID 2624 wrote to memory of 484 2624 sylsplvc.exe 197762774.exe PID 2624 wrote to memory of 484 2624 sylsplvc.exe 197762774.exe PID 2624 wrote to memory of 484 2624 sylsplvc.exe 197762774.exe PID 484 wrote to memory of 2824 484 197762774.exe 211009282.exe PID 484 wrote to memory of 2824 484 197762774.exe 211009282.exe PID 484 wrote to memory of 2824 484 197762774.exe 211009282.exe PID 484 wrote to memory of 2824 484 197762774.exe 211009282.exe PID 484 wrote to memory of 2084 484 197762774.exe 1027232614.exe PID 484 wrote to memory of 2084 484 197762774.exe 1027232614.exe PID 484 wrote to memory of 2084 484 197762774.exe 1027232614.exe PID 484 wrote to memory of 2084 484 197762774.exe 1027232614.exe PID 484 wrote to memory of 2228 484 197762774.exe 129495455.exe PID 484 wrote to memory of 2228 484 197762774.exe 129495455.exe PID 484 wrote to memory of 2228 484 197762774.exe 129495455.exe PID 484 wrote to memory of 2228 484 197762774.exe 129495455.exe PID 2228 wrote to memory of 1876 2228 129495455.exe 1162928210.exe PID 2228 wrote to memory of 1876 2228 129495455.exe 1162928210.exe PID 2228 wrote to memory of 1876 2228 129495455.exe 1162928210.exe PID 2228 wrote to memory of 1876 2228 129495455.exe 1162928210.exe PID 2964 wrote to memory of 2536 2964 powershell.exe schtasks.exe PID 2964 wrote to memory of 2536 2964 powershell.exe schtasks.exe PID 2964 wrote to memory of 2536 2964 powershell.exe schtasks.exe PID 2604 wrote to memory of 2996 2604 taskeng.exe wupgrdsv.exe PID 2604 wrote to memory of 2996 2604 taskeng.exe wupgrdsv.exe PID 2604 wrote to memory of 2996 2604 taskeng.exe wupgrdsv.exe PID 3000 wrote to memory of 2392 3000 powershell.exe schtasks.exe PID 3000 wrote to memory of 2392 3000 powershell.exe schtasks.exe PID 3000 wrote to memory of 2392 3000 powershell.exe schtasks.exe PID 2996 wrote to memory of 2936 2996 wupgrdsv.exe notepad.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\4B91.exe"C:\Users\Admin\AppData\Local\Temp\4B91.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\sylsplvc.exeC:\Windows\sylsplvc.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\3047911394.exeC:\Users\Admin\AppData\Local\Temp\3047911394.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\197762774.exeC:\Users\Admin\AppData\Local\Temp\197762774.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Local\Temp\211009282.exeC:\Users\Admin\AppData\Local\Temp\211009282.exe6⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\1027232614.exeC:\Users\Admin\AppData\Local\Temp\1027232614.exe6⤵
- Executes dropped EXE
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\129495455.exeC:\Users\Admin\AppData\Local\Temp\129495455.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\1162928210.exeC:\Users\Admin\AppData\Local\Temp\1162928210.exe7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:2536 -
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵PID:2520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:2392 -
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936
-
C:\Windows\system32\taskeng.exetaskeng.exe {A4E6FFC7-5F5F-4E13-AB0F-3B95E6E2A2F9} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\2[1]Filesize
84KB
MD5b464b1ac75172e05db725d17b9bb9044
SHA1cc8689ef9f70be7210520bd68b9767e3c6f1e363
SHA256c1b2b4d052f98028e6b32955ed052881591bbaa57f11279b7745cc26566f8268
SHA5129adab953f44c68cd0eb37873a51d18827a06bf4d99d4d354053e16bd4c3bb272b9c9290cc4190919f9d89bfe6d304546ddffc460f8ee2ed8e75a9bd3e13294e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJ0RD6PK\1[1]Filesize
23KB
MD507d8d1886e9515653645a06317888a14
SHA150efdfb1b292bb28b9177e19e898d8b4ec59ec09
SHA2564ecc3858eb5f437af29b9a7ed8fce1b2b6650573f06df09e551e77b1e599195b
SHA51209d51a4ddb2d7e772547f5af7987cbd79c907b5cdcb13e6e3562d81a1a097c3a38f9f1b7c6b98ca81687990dcefdccb2b025ce2b253981dd94ecb554184e6894
-
C:\Users\Admin\AppData\Local\Temp\1162928210.exeFilesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD58b91048256828a4e0ddb0095ec4a7c48
SHA1547a4a90a02ef3eda43fabd0e56e803040f25ac9
SHA25692530a468a452d598a7533fe9f4b8291d9903921245b760e9a6f5ed598e97b38
SHA5126d7c2ddb3f006ea8468384301e416623f6de5387036f6f8a584dbab8a1548117bfca3c477b48caa6e989073c8c209dc603d9c42507f96133727547c89324184d
-
\Users\Admin\AppData\Local\Temp\129495455.exeFilesize
6KB
MD50d539e8277f20391a31babff8714fdb0
SHA1a4e63870aa5fd258dde4f02be70732c27f556fa9
SHA256669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32
SHA512700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff
-
\Users\Admin\AppData\Local\Temp\197762774.exeFilesize
84KB
MD541d55c23d79fc0c0c322db16c6ce6af8
SHA1e4bbdf2a983a11975a7ab6dcba41cb60676ec780
SHA25693f3f99a6d6dc69b907a3da8596bd850c1e3ce53be9bf1c6edfdb00e90579e6f
SHA51206680eb47802659dc2e28cd9a839052a8536112056db49f7179f1b53cf2dba0e9cfd9d8bbdeb446ecb8a2f4a58f7b0f100d0526660d4afd8540a4db091cf621f
-
\Users\Admin\AppData\Local\Temp\3047911394.exeFilesize
23KB
MD59d2b22562b9a3958dfd7e6e6fa7bd66f
SHA11941c24958ac09cf518f4124225b2d0b5d874cf0
SHA25684daa9d52f759af343741880a3b66a3abb886310de7f552743d99e69741c6450
SHA5128c0b54e01f62207edaaf8f967fe83eacd3e278660c1764feb3fde68bfd376ba875012849f969d8b5922bd6b791a231bf75dc76eade227e2fd25f4791163d9dd1
-
\Users\Admin\AppData\Local\Temp\4B91.exeFilesize
79KB
MD51e8a2ed2e3f35620fb6b8c2a782a57f3
SHA1e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a
SHA2563f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879
SHA512ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade
-
memory/1876-111-0x000000013F600000-0x000000013FB76000-memory.dmpFilesize
5.5MB
-
memory/2936-136-0x0000000002100000-0x0000000002120000-memory.dmpFilesize
128KB
-
memory/2936-135-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/2936-134-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/2936-133-0x0000000002100000-0x0000000002120000-memory.dmpFilesize
128KB
-
memory/2936-132-0x00000000001C0000-0x00000000001E0000-memory.dmpFilesize
128KB
-
memory/2964-101-0x0000000001E90000-0x0000000001E98000-memory.dmpFilesize
32KB
-
memory/2964-105-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2964-107-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2964-106-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2964-100-0x000000001B240000-0x000000001B522000-memory.dmpFilesize
2.9MB
-
memory/2964-108-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmpFilesize
9.6MB
-
memory/2964-102-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmpFilesize
9.6MB
-
memory/2964-103-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2964-104-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmpFilesize
9.6MB
-
memory/2996-131-0x000000013F3F0000-0x000000013F966000-memory.dmpFilesize
5.5MB
-
memory/3000-121-0x0000000001D30000-0x0000000001D38000-memory.dmpFilesize
32KB
-
memory/3000-127-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/3000-128-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmpFilesize
9.6MB
-
memory/3000-126-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/3000-125-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/3000-124-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmpFilesize
9.6MB
-
memory/3000-123-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/3000-122-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmpFilesize
9.6MB
-
memory/3000-120-0x000000001B390000-0x000000001B672000-memory.dmpFilesize
2.9MB