7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1800s
max time network
1802s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

discovery evasion

Malware Config

Signatures

Contacts a large (765) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
756	netsh.exe
2020	netsh.exe
2412	netsh.exe
4304	netsh.exe
4656	netsh.exe
3688	netsh.exe
3616	netsh.exe
2284	netsh.exe
2856	netsh.exe
532	netsh.exe
1700	netsh.exe
4620	netsh.exe
4728	netsh.exe
2140	netsh.exe
832	netsh.exe
888	netsh.exe
4376	netsh.exe
4568	netsh.exe
2820	netsh.exe
4440	netsh.exe
520	netsh.exe
3768	netsh.exe

Executes dropped EXE 11 IoCs

Processes:

svchost.exesvchost.exe~tl1006.tmpsvchost.exe~tl11A8.tmpsvchost.exe~tl6959.tmpsvchost.exe~tlCFA8.tmpsvchost.exe~tl3AC8.tmp

pid	process
4060	svchost.exe
1928	svchost.exe
1300	~tl1006.tmp
2800	svchost.exe
3508	~tl11A8.tmp
1396	svchost.exe
2132	~tl6959.tmp
1128	svchost.exe
3360	~tlCFA8.tmp
3828	svchost.exe
4060	~tl3AC8.tmp

Drops file in System32 directory 31 IoCs

Processes:

powershell.exe~tl6959.tmpsvchost.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exesvchost.exe~tl3AC8.tmppowershell.exesvchost.exepowershell.exepowershell.exe~tlCFA8.tmppowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl6959.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl6959.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	~tl3AC8.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlCFA8.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl3AC8.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tlCFA8.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl3AC8.tmp

Drops file in Windows directory 10 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exesvchost.exesvchost.exe~tl1006.tmpsvchost.exe

description	ioc	process
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl1006.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl1006.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2736 schtasks.exe
4012 schtasks.exe

pid	process
2736	schtasks.exe
4012	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exenetsh.exepowershell.exesvchost.exepowershell.exenetsh.exepowershell.exesvchost.exe~tl3AC8.tmp~tl6959.tmppowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl3AC8.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl6959.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tl1006.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl11A8.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl6959.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

pid	process
2704	powershell.exe
2704	powershell.exe
2776	powershell.exe
2776	powershell.exe
2704	powershell.exe
2776	powershell.exe
824	svchost_dump_SCY - Copy.exe
824	svchost_dump_SCY - Copy.exe
2672	powershell.exe
2672	powershell.exe
4168	powershell.exe
2672	powershell.exe
4168	powershell.exe
4168	powershell.exe
1300	~tl1006.tmp
1300	~tl1006.tmp
4560	powershell.exe
4560	powershell.exe
4668	powershell.exe
4668	powershell.exe
4560	powershell.exe
4668	powershell.exe
1300	~tl1006.tmp
1300	~tl1006.tmp
2800	svchost.exe
2800	svchost.exe
2060	powershell.exe
2060	powershell.exe
4440	powershell.exe
4440	powershell.exe
2060	powershell.exe
4440	powershell.exe
3508	~tl11A8.tmp
3508	~tl11A8.tmp
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe
1396	svchost.exe
1396	svchost.exe
2952	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
2952	powershell.exe
2952	powershell.exe
2132	~tl6959.tmp
2132	~tl6959.tmp
4728	powershell.exe
4728	powershell.exe
4164	powershell.exe
4164	powershell.exe
4728	powershell.exe
4164	powershell.exe
1128	svchost.exe
1128	svchost.exe
3828	powershell.exe
3828	powershell.exe
2324	powershell.exe
3828	powershell.exe
2324	powershell.exe
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	2704	powershell.exe
Token: SeSecurityPrivilege	2704	powershell.exe
Token: SeTakeOwnershipPrivilege	2704	powershell.exe
Token: SeLoadDriverPrivilege	2704	powershell.exe
Token: SeSystemProfilePrivilege	2704	powershell.exe
Token: SeSystemtimePrivilege	2704	powershell.exe
Token: SeProfSingleProcessPrivilege	2704	powershell.exe
Token: SeIncBasePriorityPrivilege	2704	powershell.exe
Token: SeCreatePagefilePrivilege	2704	powershell.exe
Token: SeBackupPrivilege	2704	powershell.exe
Token: SeRestorePrivilege	2704	powershell.exe
Token: SeShutdownPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeSystemEnvironmentPrivilege	2704	powershell.exe
Token: SeRemoteShutdownPrivilege	2704	powershell.exe
Token: SeUndockPrivilege	2704	powershell.exe
Token: SeManageVolumePrivilege	2704	powershell.exe
Token: 33	2704	powershell.exe
Token: 34	2704	powershell.exe
Token: 35	2704	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exesvchost.exe~tl1006.tmpsvchost.exe~tl11A8.tmp

description	pid	process	target process
PID 824 wrote to memory of 1832	824	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 824 wrote to memory of 1832	824	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 824 wrote to memory of 4656	824	svchost_dump_SCY - Copy.exe	netsh.exe
PID 824 wrote to memory of 4656	824	svchost_dump_SCY - Copy.exe	netsh.exe
PID 824 wrote to memory of 1700	824	svchost_dump_SCY - Copy.exe	netsh.exe
PID 824 wrote to memory of 1700	824	svchost_dump_SCY - Copy.exe	netsh.exe
PID 824 wrote to memory of 2704	824	svchost_dump_SCY - Copy.exe	powershell.exe
PID 824 wrote to memory of 2704	824	svchost_dump_SCY - Copy.exe	powershell.exe
PID 824 wrote to memory of 2776	824	svchost_dump_SCY - Copy.exe	powershell.exe
PID 824 wrote to memory of 2776	824	svchost_dump_SCY - Copy.exe	powershell.exe
PID 824 wrote to memory of 1960	824	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 824 wrote to memory of 1960	824	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 824 wrote to memory of 2736	824	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 824 wrote to memory of 2736	824	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 824 wrote to memory of 4060	824	svchost_dump_SCY - Copy.exe	svchost.exe
PID 824 wrote to memory of 4060	824	svchost_dump_SCY - Copy.exe	svchost.exe
PID 4060 wrote to memory of 2544	4060	svchost.exe	WMIC.exe
PID 4060 wrote to memory of 2544	4060	svchost.exe	WMIC.exe
PID 4060 wrote to memory of 4376	4060	svchost.exe	netsh.exe
PID 4060 wrote to memory of 4376	4060	svchost.exe	netsh.exe
PID 4060 wrote to memory of 4620	4060	svchost.exe	netsh.exe
PID 4060 wrote to memory of 4620	4060	svchost.exe	netsh.exe
PID 4060 wrote to memory of 2672	4060	svchost.exe	powershell.exe
PID 4060 wrote to memory of 2672	4060	svchost.exe	powershell.exe
PID 4060 wrote to memory of 4168	4060	svchost.exe	powershell.exe
PID 4060 wrote to memory of 4168	4060	svchost.exe	powershell.exe
PID 1928 wrote to memory of 3768	1928	svchost.exe	WMIC.exe
PID 1928 wrote to memory of 3768	1928	svchost.exe	WMIC.exe
PID 4060 wrote to memory of 1300	4060	svchost.exe	~tl1006.tmp
PID 4060 wrote to memory of 1300	4060	svchost.exe	~tl1006.tmp
PID 1300 wrote to memory of 3940	1300	~tl1006.tmp	netsh.exe
PID 1300 wrote to memory of 3940	1300	~tl1006.tmp	netsh.exe
PID 1300 wrote to memory of 4568	1300	~tl1006.tmp	netsh.exe
PID 1300 wrote to memory of 4568	1300	~tl1006.tmp	netsh.exe
PID 1300 wrote to memory of 520	1300	~tl1006.tmp	netsh.exe
PID 1300 wrote to memory of 520	1300	~tl1006.tmp	netsh.exe
PID 1300 wrote to memory of 4560	1300	~tl1006.tmp	powershell.exe
PID 1300 wrote to memory of 4560	1300	~tl1006.tmp	powershell.exe
PID 1300 wrote to memory of 4668	1300	~tl1006.tmp	powershell.exe
PID 1300 wrote to memory of 4668	1300	~tl1006.tmp	powershell.exe
PID 1300 wrote to memory of 2776	1300	~tl1006.tmp	schtasks.exe
PID 1300 wrote to memory of 2776	1300	~tl1006.tmp	schtasks.exe
PID 1300 wrote to memory of 4012	1300	~tl1006.tmp	schtasks.exe
PID 1300 wrote to memory of 4012	1300	~tl1006.tmp	schtasks.exe
PID 1300 wrote to memory of 2800	1300	~tl1006.tmp	svchost.exe
PID 1300 wrote to memory of 2800	1300	~tl1006.tmp	svchost.exe
PID 2800 wrote to memory of 1680	2800	svchost.exe	netsh.exe
PID 2800 wrote to memory of 1680	2800	svchost.exe	netsh.exe
PID 2800 wrote to memory of 3616	2800	svchost.exe	netsh.exe
PID 2800 wrote to memory of 3616	2800	svchost.exe	netsh.exe
PID 2800 wrote to memory of 3768	2800	svchost.exe	netsh.exe
PID 2800 wrote to memory of 3768	2800	svchost.exe	netsh.exe
PID 2800 wrote to memory of 2060	2800	svchost.exe	powershell.exe
PID 2800 wrote to memory of 2060	2800	svchost.exe	powershell.exe
PID 2800 wrote to memory of 4440	2800	svchost.exe	powershell.exe
PID 2800 wrote to memory of 4440	2800	svchost.exe	powershell.exe
PID 2800 wrote to memory of 3508	2800	svchost.exe	~tl11A8.tmp
PID 2800 wrote to memory of 3508	2800	svchost.exe	~tl11A8.tmp
PID 3508 wrote to memory of 1508	3508	~tl11A8.tmp	netsh.exe
PID 3508 wrote to memory of 1508	3508	~tl11A8.tmp	netsh.exe
PID 3508 wrote to memory of 4728	3508	~tl11A8.tmp	netsh.exe
PID 3508 wrote to memory of 4728	3508	~tl11A8.tmp	netsh.exe
PID 3508 wrote to memory of 3688	3508	~tl11A8.tmp	netsh.exe
PID 3508 wrote to memory of 3688	3508	~tl11A8.tmp	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:4656

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:1960

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
PID:2544

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4376

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Users\Admin\AppData\Local\Temp\~tl1006.tmp
C:\Users\Admin\AppData\Local\Temp\~tl1006.tmp
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:3940

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4568

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2776

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:1680

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3616

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Users\Admin\AppData\Local\Temp\~tl11A8.tmp
C:\Users\Admin\AppData\Local\Temp\~tl11A8.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SYSTEM32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1508

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4728

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
PID:3768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2772

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:756

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\TEMP\~tl6959.tmp
C:\Windows\TEMP\~tl6959.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:5012

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2284

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:2632

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:832

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\TEMP\~tlCFA8.tmp
C:\Windows\TEMP\~tlCFA8.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:976

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2856

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2952

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3828

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
2⤵
PID:4728

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2820

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4104

C:\Windows\TEMP\~tl3AC8.tmp
C:\Windows\TEMP\~tl3AC8.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4060

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
PID:4616

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:4440

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d9883feb7754e029148d4f2715b581f

SHA1
b3caa8806d11f36c7cfd7ed27e14cc813129c4ad

SHA256
ceb2dd4767c398b679a41893b87bcffb1d95d845e4b38e574582b2e910559ed2

SHA512
28f23fd966f40d989c1fbcb9922b3c75aa28ab2a97debb4fec1ffd1c7d1e00800193d1dc34d23d1e1641e089e2dfa07a9fe2249aba37bd69e7a6b7090e934bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
78af95df839cf1acef172e4414cc2f9e

SHA1
8c26013c93857bb145391e5cc987c8a54847c227

SHA256
ecf468d670717db87919148085051e5037cb748807770b75384c744aab6cf9f9

SHA512
48a5f0ab634976476440be45d47fcb38902e44fdac31703aeac14ef6972d70f84081df9215c630751b2361aea5d518a1947b0d8b37eed7cdb6f5cc8e4f9a3d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cdcbdba96957d2652c008782eba8981

SHA1
49db60f7452f0920001b57c20dde2de7b460727a

SHA256
f05cab5acdee3ebe16faa0ab5271ff8ac41673520fb5d4fb3efd064216691354

SHA512
ba57956afcf192e2f8ea4a3f2d28896186a217d069f4d4a7bd6045acf655f54ec89d5f4d0a5c976b1854b6c11a21deac2355b9eb54d8a88ad505054d53ba8294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ccd50bd239eb2cc70f96e2ca1a13eae3

SHA1
57b7a6ba9b1c5892db135ad521c4bbd854ee8cc3

SHA256
64bdbe15e2d60d15661174dffc5e016e160ca32e10e94af70c26e2e772680de9

SHA512
239c90ed653f8f93faee653b359d242e8e6ae35f338db60fb4b2644a4f9f5c1c3e39228b92bdfe096924cfa4dcc0545b90daeac6f919bd3723332a38adc5a7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d56e21f9116304dfa2f190f6a39ada0d

SHA1
d6da3ffce17b9cdbd80c27969f6f4559df21b638

SHA256
5d91a2c4308cea06e9fb580fecea25efd36a897783ce56603aed8c6b278ef809

SHA512
bb7a46b0c378a144832bc6f1b327000cec66f3851bd4d67981a7c6f795bce72de029d5fb18fc4220aa5d16a22ea441382b5013248b48e15852eb6391fd1ee840

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2qlxjx5.byt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl1006.tmp

Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tl11A8.tmp

Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
3af58b6add70a3559c53205e4aefd0f9

SHA1
5c1a95db8a1695b14b26cb5e8ae92fea5bd9da41

SHA256
d9595b5e4bb49267b93c50334024de412c0e8a2831f2caa1102529292b9c2a7e

SHA512
21b93f9444d559aa19fd36afd939120623187fd42cf43296447cfa8794d7a72773900405b37587def2e794b7e829d337aaf5b397a8882552875a89023f104f97

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.6MB

MD5
0cbde643bf212cb6f6f6e6a8219b2fc2

SHA1
9790731da04988dd9b0110a8e84913e79ba07680

SHA256
e722d02848483f7db09d0177c00a4ee95eef5362bd97a849883efa17ae85c045

SHA512
7a6309c1bf6d18b7db00fa8afbd44d32791b9c46b10b33200b8d1079296017e6ee2f5d308280cd52ef2e3de1056d749314ed264def2eda7a59c42fff242dc1eb

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad2d82fd0f51e9ff4a9e1ee26e40eefc

SHA1
e83e7fd959025e8deef478fe45170a48ff28f18d

SHA256
186964f210dff16ca279b9345b042baaaa920fd62c30db5144a7ed3410b561ff

SHA512
2ef322524b6247e01411969f6adde4bb3a4b4cc5f8c66feb102307133e46448506929b14826469c94453650211b01c8f2ae2de518661f7a615c4b28b54ced289

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
652B

MD5
63a30cacf726568bbf1ca4ca2e1ccb2e

SHA1
e76c50a791ccc46fdebf240ab0bb157818c848dc

SHA256
bbca307fb5e5a91fd35f68e9e00dee03219ef9f264cacd3f8856ad11e76eb17e

SHA512
25e921145d0afe94684a825596476c144d8135e9a5425226420f5a82635fd90e2cfd5a06c65e79f0436b455b917cf41a10848f44df40abe4bcfcbd75555cb534

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4085663b63a8abdd90aa27e605c486b3

SHA1
f4386b0e52328a496d6b2a9bb003e5d114d5e2da

SHA256
cde9da09369aa124ee6fce362f56d979a6c8b98a61aa5dc5528e06e72c6accf3

SHA512
b610388b4a4019d5d6a2514c132c4cccf59c2db465b9019f35808b6201a4b857f553276342335811cac13f07e6ecb63ce111501fd5ba412a491eb88f328d424f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60eceec312301f0ca16969c813f3c816

SHA1
51739bafc6d4d4429f632bc610065a796e26afa8

SHA256
010ce1a13cf4783819889a26f9f5290b815535d996697202e8ffb2e2e447a754

SHA512
6ed570c91f61a09ff96929c7065e2b99b97445ee0bb8ec97679c126c01582060d67edf68f3d14a8cc0f7823d55205572d7722aa77fb56c7976faa58c23c4e215

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f48cb1ec7f04d48b373d447d4a54aa08

SHA1
d010430ce9ca5087ba2827511dfbc71cd67e664b

SHA256
64bffe473a191517cc9f743b80998d15cdcc8eb2a5a943e4060f2ed107f3ea31

SHA512
f39c646972b238ae584c367e86f51b6655a0f69e9bb01d87865f8da178e18659e69d71d85dffcfc5d1b635a7e6f4f227359c53c946b7dadd559dca2e0cefbed4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8432dcea65c130781d80df9c39fff4b5

SHA1
3038c50810df0671795f0be1b900ceb77a505460

SHA256
426fdf0883b6a103f2dab9331f33eecbf7867974c24f1d3ca1d871e58534b0fb

SHA512
cc730e1b6141b0682f9c4c744110a8e23aeef38b502c8c9f7f3028f10206c68b89347a4342efcd91b50c409fac249befdb7443acac8c56197a9ab7bf8932ef43

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b309a5033ac7e9e23569dd053a360c4

SHA1
7f99f0c2d18813afcae11decd096ed0a9a24f592

SHA256
561b620f9102f9308ac23a18fc498b9ed5a2a077f30bc5c0c3bc37913e105ed4

SHA512
ffb4de89b80acd6e58ad2271dbd611724f3710087b498ddb64927aa04a0a06fb174a2d58a44eee69c994c7810bc393a136eb6fb99d097f30964fcfbff13bf0eb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/824-115-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/824-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/824-15-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1300-288-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1300-286-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1300-287-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1300-404-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1300-290-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1300-283-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1396-656-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1396-983-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/1928-274-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/1928-278-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2060-452-0x0000023CBC8E0000-0x0000023CBC8F0000-memory.dmp

Filesize
64KB

Download
memory/2060-416-0x0000023CBC8E0000-0x0000023CBC8F0000-memory.dmp

Filesize
64KB

Download
memory/2060-413-0x0000023CBC8E0000-0x0000023CBC8F0000-memory.dmp

Filesize
64KB

Download
memory/2060-504-0x0000023CBC8E0000-0x0000023CBC8F0000-memory.dmp

Filesize
64KB

Download
memory/2060-507-0x00007FFC92190000-0x00007FFC92B7C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-408-0x00007FFC92190000-0x00007FFC92B7C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-987-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2132-1304-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2672-215-0x00007FFC91F50000-0x00007FFC9293C000-memory.dmp

Filesize
9.9MB

Download
memory/2672-202-0x000002DAFE0D0000-0x000002DAFE0E0000-memory.dmp

Filesize
64KB

Download
memory/2672-122-0x000002DAFE0D0000-0x000002DAFE0E0000-memory.dmp

Filesize
64KB

Download
memory/2672-120-0x000002DAFE0D0000-0x000002DAFE0E0000-memory.dmp

Filesize
64KB

Download
memory/2672-149-0x000002DAFE0D0000-0x000002DAFE0E0000-memory.dmp

Filesize
64KB

Download
memory/2672-117-0x00007FFC91F50000-0x00007FFC9293C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-7-0x000002B49B110000-0x000002B49B120000-memory.dmp

Filesize
64KB

Download
memory/2704-5-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-6-0x000002B49B120000-0x000002B49B142000-memory.dmp

Filesize
136KB

Download
memory/2704-48-0x000002B49B110000-0x000002B49B120000-memory.dmp

Filesize
64KB

Download
memory/2704-21-0x000002B49BC10000-0x000002B49BC86000-memory.dmp

Filesize
472KB

Download
memory/2704-102-0x000002B49B110000-0x000002B49B120000-memory.dmp

Filesize
64KB

Download
memory/2704-8-0x000002B49B110000-0x000002B49B120000-memory.dmp

Filesize
64KB

Download
memory/2704-108-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-98-0x000001B360830000-0x000001B360840000-memory.dmp

Filesize
64KB

Download
memory/2776-16-0x000001B360830000-0x000001B360840000-memory.dmp

Filesize
64KB

Download
memory/2776-17-0x000001B360830000-0x000001B360840000-memory.dmp

Filesize
64KB

Download
memory/2776-12-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-52-0x000001B360830000-0x000001B360840000-memory.dmp

Filesize
64KB

Download
memory/2776-107-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-403-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2800-405-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2800-520-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/3508-522-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3508-524-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3508-521-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3508-628-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3508-519-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/3508-523-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/4060-114-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4060-126-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4060-221-0x00000000369D0000-0x0000000036EB2000-memory.dmp

Filesize
4.9MB

Download
memory/4060-285-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/4168-176-0x00000227A0960000-0x00000227A0970000-memory.dmp

Filesize
64KB

Download
memory/4168-132-0x00000227A0960000-0x00000227A0970000-memory.dmp

Filesize
64KB

Download
memory/4168-134-0x00000227A0960000-0x00000227A0970000-memory.dmp

Filesize
64KB

Download
memory/4168-129-0x00007FFC91F50000-0x00007FFC9293C000-memory.dmp

Filesize
9.9MB

Download
memory/4168-216-0x00000227A0960000-0x00000227A0970000-memory.dmp

Filesize
64KB

Download
memory/4168-220-0x00007FFC91F50000-0x00007FFC9293C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-457-0x0000017F4A9A0000-0x0000017F4A9B0000-memory.dmp

Filesize
64KB

Download
memory/4440-501-0x0000017F4A9A0000-0x0000017F4A9B0000-memory.dmp

Filesize
64KB

Download
memory/4440-418-0x0000017F4A9A0000-0x0000017F4A9B0000-memory.dmp

Filesize
64KB

Download
memory/4440-420-0x0000017F4A9A0000-0x0000017F4A9B0000-memory.dmp

Filesize
64KB

Download
memory/4440-415-0x00007FFC92190000-0x00007FFC92B7C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-511-0x00007FFC92190000-0x00007FFC92B7C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-298-0x0000013DC27C0000-0x0000013DC27D0000-memory.dmp

Filesize
64KB

Download
memory/4560-395-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-391-0x0000013DC27C0000-0x0000013DC27D0000-memory.dmp

Filesize
64KB

Download
memory/4560-295-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-297-0x0000013DC27C0000-0x0000013DC27D0000-memory.dmp

Filesize
64KB

Download
memory/4560-334-0x0000013DC27C0000-0x0000013DC27D0000-memory.dmp

Filesize
64KB

Download
memory/4668-385-0x000002AA1D470000-0x000002AA1D480000-memory.dmp

Filesize
64KB

Download
memory/4668-306-0x000002AA1D470000-0x000002AA1D480000-memory.dmp

Filesize
64KB

Download
memory/4668-301-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/4668-307-0x000002AA1D470000-0x000002AA1D480000-memory.dmp

Filesize
64KB

Download
memory/4668-347-0x000002AA1D470000-0x000002AA1D480000-memory.dmp

Filesize
64KB

Download
memory/4668-388-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download