Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe
-
Size
964KB
-
MD5
e423b16712d6b7c04b46ece26b2b82c6
-
SHA1
4f1e86ab55814895a8716165237ac79f62c838f4
-
SHA256
0b26905925fa6c441b93f7b0e448aeb0960fcbe39449769e207fd35db871e76b
-
SHA512
e97418e924f265cd99504177e2f1d068c4d1eb1ac47eb19c09937ac417d0843f5cc25209e0c7e2cbb4a66313b70f143b1923fee1dc9d0cfacff91609e0928db2
-
SSDEEP
24576:KcL47w2ygNCGwC3UlghoN1bcuEZbZ3Jk4Sx7iE2fxyE:KcD2fwqKNdcNbZ3CxfQ
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
Signatures
-
Phorphiex payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\204624212.exe family_phorphiex -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
2984739447.exewupgrdsv.exedescription pid process target process PID 2544 created 1380 2544 2984739447.exe Explorer.EXE PID 2544 created 1380 2544 2984739447.exe Explorer.EXE PID 1556 created 1380 1556 wupgrdsv.exe Explorer.EXE PID 1556 created 1380 1556 wupgrdsv.exe Explorer.EXE -
Processes:
204624212.exe2625828257.exesylsplvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2625828257.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1556-133-0x000000013F800000-0x000000013FD76000-memory.dmp xmrig behavioral1/memory/2168-136-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
5ED2.exesylsplvc.exe204624212.exe2625828257.exe247382254.exe2488825381.exe116716693.exe2984739447.exewupgrdsv.exepid process 2712 5ED2.exe 3032 sylsplvc.exe 2180 204624212.exe 800 2625828257.exe 1116 247382254.exe 2160 2488825381.exe 2696 116716693.exe 2544 2984739447.exe 1556 wupgrdsv.exe -
Loads dropped DLL 11 IoCs
Processes:
e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exesylsplvc.exe2625828257.exe116716693.exetaskeng.exepid process 1192 e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe 1192 e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe 3032 sylsplvc.exe 3032 sylsplvc.exe 3032 sylsplvc.exe 800 2625828257.exe 800 2625828257.exe 800 2625828257.exe 800 2625828257.exe 2696 116716693.exe 596 taskeng.exe -
Processes:
sylsplvc.exe204624212.exe2625828257.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 204624212.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2625828257.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 2625828257.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
204624212.exe2625828257.exe5ED2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winknavrso.exe" 204624212.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe" 2625828257.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe" 2625828257.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe" 5ED2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winknavrso.exe" 204624212.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wupgrdsv.exedescription pid process target process PID 1556 set thread context of 2168 1556 wupgrdsv.exe notepad.exe -
Drops file in Windows directory 6 IoCs
Processes:
2625828257.exe5ED2.exe204624212.exedescription ioc process File created C:\Windows\sysdinrdvs.exe 2625828257.exe File opened for modification C:\Windows\sysdinrdvs.exe 2625828257.exe File created C:\Windows\sylsplvc.exe 5ED2.exe File opened for modification C:\Windows\sylsplvc.exe 5ED2.exe File created C:\Windows\winknavrso.exe 204624212.exe File opened for modification C:\Windows\winknavrso.exe 204624212.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2520 schtasks.exe 2804 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2984739447.exepowershell.exewupgrdsv.exepowershell.exepid process 2544 2984739447.exe 2544 2984739447.exe 2560 powershell.exe 2544 2984739447.exe 2544 2984739447.exe 1556 wupgrdsv.exe 1556 wupgrdsv.exe 2420 powershell.exe 1556 wupgrdsv.exe 1556 wupgrdsv.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 468 -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
204624212.exe2625828257.exepid process 2180 204624212.exe 800 2625828257.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exenotepad.exedescription pid process Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeLockMemoryPrivilege 2168 notepad.exe Token: SeLockMemoryPrivilege 2168 notepad.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
notepad.exepid process 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
notepad.exepid process 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe 2168 notepad.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe5ED2.exesylsplvc.exe2625828257.exe116716693.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exedescription pid process target process PID 1192 wrote to memory of 2712 1192 e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe 5ED2.exe PID 1192 wrote to memory of 2712 1192 e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe 5ED2.exe PID 1192 wrote to memory of 2712 1192 e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe 5ED2.exe PID 1192 wrote to memory of 2712 1192 e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe 5ED2.exe PID 2712 wrote to memory of 3032 2712 5ED2.exe sylsplvc.exe PID 2712 wrote to memory of 3032 2712 5ED2.exe sylsplvc.exe PID 2712 wrote to memory of 3032 2712 5ED2.exe sylsplvc.exe PID 2712 wrote to memory of 3032 2712 5ED2.exe sylsplvc.exe PID 3032 wrote to memory of 2180 3032 sylsplvc.exe 204624212.exe PID 3032 wrote to memory of 2180 3032 sylsplvc.exe 204624212.exe PID 3032 wrote to memory of 2180 3032 sylsplvc.exe 204624212.exe PID 3032 wrote to memory of 2180 3032 sylsplvc.exe 204624212.exe PID 3032 wrote to memory of 800 3032 sylsplvc.exe 2625828257.exe PID 3032 wrote to memory of 800 3032 sylsplvc.exe 2625828257.exe PID 3032 wrote to memory of 800 3032 sylsplvc.exe 2625828257.exe PID 3032 wrote to memory of 800 3032 sylsplvc.exe 2625828257.exe PID 800 wrote to memory of 1116 800 2625828257.exe 247382254.exe PID 800 wrote to memory of 1116 800 2625828257.exe 247382254.exe PID 800 wrote to memory of 1116 800 2625828257.exe 247382254.exe PID 800 wrote to memory of 1116 800 2625828257.exe 247382254.exe PID 800 wrote to memory of 2160 800 2625828257.exe 2488825381.exe PID 800 wrote to memory of 2160 800 2625828257.exe 2488825381.exe PID 800 wrote to memory of 2160 800 2625828257.exe 2488825381.exe PID 800 wrote to memory of 2160 800 2625828257.exe 2488825381.exe PID 800 wrote to memory of 2696 800 2625828257.exe 116716693.exe PID 800 wrote to memory of 2696 800 2625828257.exe 116716693.exe PID 800 wrote to memory of 2696 800 2625828257.exe 116716693.exe PID 800 wrote to memory of 2696 800 2625828257.exe 116716693.exe PID 2696 wrote to memory of 2544 2696 116716693.exe 2984739447.exe PID 2696 wrote to memory of 2544 2696 116716693.exe 2984739447.exe PID 2696 wrote to memory of 2544 2696 116716693.exe 2984739447.exe PID 2696 wrote to memory of 2544 2696 116716693.exe 2984739447.exe PID 2560 wrote to memory of 2520 2560 powershell.exe schtasks.exe PID 2560 wrote to memory of 2520 2560 powershell.exe schtasks.exe PID 2560 wrote to memory of 2520 2560 powershell.exe schtasks.exe PID 596 wrote to memory of 1556 596 taskeng.exe wupgrdsv.exe PID 596 wrote to memory of 1556 596 taskeng.exe wupgrdsv.exe PID 596 wrote to memory of 1556 596 taskeng.exe wupgrdsv.exe PID 2420 wrote to memory of 2804 2420 powershell.exe schtasks.exe PID 2420 wrote to memory of 2804 2420 powershell.exe schtasks.exe PID 2420 wrote to memory of 2804 2420 powershell.exe schtasks.exe PID 1556 wrote to memory of 2168 1556 wupgrdsv.exe notepad.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e423b16712d6b7c04b46ece26b2b82c6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\5ED2.exe"C:\Users\Admin\AppData\Local\Temp\5ED2.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\sylsplvc.exeC:\Windows\sylsplvc.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\204624212.exeC:\Users\Admin\AppData\Local\Temp\204624212.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\2625828257.exeC:\Users\Admin\AppData\Local\Temp\2625828257.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\247382254.exeC:\Users\Admin\AppData\Local\Temp\247382254.exe6⤵
- Executes dropped EXE
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\2488825381.exeC:\Users\Admin\AppData\Local\Temp\2488825381.exe6⤵
- Executes dropped EXE
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\116716693.exeC:\Users\Admin\AppData\Local\Temp\116716693.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\2984739447.exeC:\Users\Admin\AppData\Local\Temp\2984739447.exe7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:2520 -
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵PID:2468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:2804 -
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168
-
C:\Windows\system32\taskeng.exetaskeng.exe {E7BA08A1-0CE3-43E0-9EF8-0FBB9534EC10} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75OMIGJ7\1[1]Filesize
23KB
MD507d8d1886e9515653645a06317888a14
SHA150efdfb1b292bb28b9177e19e898d8b4ec59ec09
SHA2564ecc3858eb5f437af29b9a7ed8fce1b2b6650573f06df09e551e77b1e599195b
SHA51209d51a4ddb2d7e772547f5af7987cbd79c907b5cdcb13e6e3562d81a1a097c3a38f9f1b7c6b98ca81687990dcefdccb2b025ce2b253981dd94ecb554184e6894
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTT6L9LH\2[1]Filesize
84KB
MD5b464b1ac75172e05db725d17b9bb9044
SHA1cc8689ef9f70be7210520bd68b9767e3c6f1e363
SHA256c1b2b4d052f98028e6b32955ed052881591bbaa57f11279b7745cc26566f8268
SHA5129adab953f44c68cd0eb37873a51d18827a06bf4d99d4d354053e16bd4c3bb272b9c9290cc4190919f9d89bfe6d304546ddffc460f8ee2ed8e75a9bd3e13294e2
-
C:\Users\Admin\AppData\Local\Temp\2984739447.exeFilesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50ff46da7c1f30c0442e929393ec33114
SHA11d7bb93b0224f79edb179ccdc0553b179952f31b
SHA2561437b6817e9519bd197be3ab9f4ee22977239b8369a9e95b5137ad0b6d488693
SHA5124bfc3398feaae7bec57ee488d7cb16dafc82b30cdbb1974bf75abb9ca8bc2408606df4b4fc89a1cda3c443c8001269b7c6ce84e192a251dc44b17793bea55364
-
\Users\Admin\AppData\Local\Temp\116716693.exeFilesize
6KB
MD50d539e8277f20391a31babff8714fdb0
SHA1a4e63870aa5fd258dde4f02be70732c27f556fa9
SHA256669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32
SHA512700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff
-
\Users\Admin\AppData\Local\Temp\204624212.exeFilesize
23KB
MD59d2b22562b9a3958dfd7e6e6fa7bd66f
SHA11941c24958ac09cf518f4124225b2d0b5d874cf0
SHA25684daa9d52f759af343741880a3b66a3abb886310de7f552743d99e69741c6450
SHA5128c0b54e01f62207edaaf8f967fe83eacd3e278660c1764feb3fde68bfd376ba875012849f969d8b5922bd6b791a231bf75dc76eade227e2fd25f4791163d9dd1
-
\Users\Admin\AppData\Local\Temp\2625828257.exeFilesize
84KB
MD541d55c23d79fc0c0c322db16c6ce6af8
SHA1e4bbdf2a983a11975a7ab6dcba41cb60676ec780
SHA25693f3f99a6d6dc69b907a3da8596bd850c1e3ce53be9bf1c6edfdb00e90579e6f
SHA51206680eb47802659dc2e28cd9a839052a8536112056db49f7179f1b53cf2dba0e9cfd9d8bbdeb446ecb8a2f4a58f7b0f100d0526660d4afd8540a4db091cf621f
-
\Users\Admin\AppData\Local\Temp\5ED2.exeFilesize
79KB
MD51e8a2ed2e3f35620fb6b8c2a782a57f3
SHA1e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a
SHA2563f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879
SHA512ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade
-
memory/1192-20-0x0000000000400000-0x0000000000503DA0-memory.dmpFilesize
1.0MB
-
memory/1192-11-0x0000000002110000-0x0000000002111000-memory.dmpFilesize
4KB
-
memory/1556-133-0x000000013F800000-0x000000013FD76000-memory.dmpFilesize
5.5MB
-
memory/2168-136-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/2168-135-0x0000000001F80000-0x0000000001FA0000-memory.dmpFilesize
128KB
-
memory/2168-134-0x0000000000340000-0x0000000000360000-memory.dmpFilesize
128KB
-
memory/2420-126-0x000007FEF5450000-0x000007FEF5DED000-memory.dmpFilesize
9.6MB
-
memory/2420-129-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2420-130-0x000007FEF5450000-0x000007FEF5DED000-memory.dmpFilesize
9.6MB
-
memory/2420-128-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2420-127-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2420-125-0x00000000026D0000-0x0000000002750000-memory.dmpFilesize
512KB
-
memory/2420-122-0x000000001B1E0000-0x000000001B4C2000-memory.dmpFilesize
2.9MB
-
memory/2420-124-0x000007FEF5450000-0x000007FEF5DED000-memory.dmpFilesize
9.6MB
-
memory/2420-123-0x00000000024A0000-0x00000000024A8000-memory.dmpFilesize
32KB
-
memory/2544-113-0x000000013F2B0000-0x000000013F826000-memory.dmpFilesize
5.5MB
-
memory/2560-107-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2560-106-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmpFilesize
9.6MB
-
memory/2560-110-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmpFilesize
9.6MB
-
memory/2560-108-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2560-109-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2560-105-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2560-104-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmpFilesize
9.6MB
-
memory/2560-103-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/2560-102-0x000000001B260000-0x000000001B542000-memory.dmpFilesize
2.9MB