7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

max time kernel
1199s
max time network
1200s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2472	netsh.exe
2712	netsh.exe
696	netsh.exe
2480	netsh.exe
1704	netsh.exe
2104	netsh.exe
2440	netsh.exe
1056	netsh.exe
2308	netsh.exe
2668	netsh.exe
1160	netsh.exe
2776	netsh.exe
408	netsh.exe
1160	netsh.exe
2020	netsh.exe
1716	netsh.exe
2784	netsh.exe
1476	netsh.exe

Executes dropped EXE 8 IoCs

Processes:

svchost.exe~tlA7A5.tmpsvchost.exe~tlD5C6.tmpsvchost.exe~tl4AC6.tmpsvchost.exe~tl981B.tmp

pid process

2316 svchost.exe
2956 ~tlA7A5.tmp
2308 svchost.exe
2464 ~tlD5C6.tmp
2664 svchost.exe
2268 ~tl4AC6.tmp
1728 svchost.exe
2420 ~tl981B.tmp

pid	process
2316	svchost.exe
2956	~tlA7A5.tmp
2308	svchost.exe
2464	~tlD5C6.tmp
2664	svchost.exe
2268	~tl4AC6.tmp
1728	svchost.exe
2420	~tl981B.tmp

Loads dropped DLL 14 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlA7A5.tmpsvchost.exetaskeng.exesvchost.exetaskeng.exesvchost.exe

pid	process
2184	svchost_dump_SCY - Copy.exe
2184	svchost_dump_SCY - Copy.exe
2316	svchost.exe
2316	svchost.exe
2956	~tlA7A5.tmp
2956	~tlA7A5.tmp
2308	svchost.exe
2308	svchost.exe
2500	taskeng.exe
2664	svchost.exe
2664	svchost.exe
2156	taskeng.exe
1728	svchost.exe
1728	svchost.exe

Drops file in System32 directory 20 IoCs

Processes:

powershell.exe~tl981B.tmpsvchost.exepowershell.exepowershell.exesvchost.exe~tl4AC6.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl981B.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl981B.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl4AC6.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MJ0U9PK.htm	~tl981B.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3JLJMOT4.htm	~tl981B.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl4AC6.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost_dump_SCY - Copy.exe~tlA7A5.tmpsvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	~tlA7A5.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tlA7A5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

332 schtasks.exe
996 schtasks.exe

pid	process
332	schtasks.exe
996	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exe~tl981B.tmpsvchost.exepowershell.exe~tl4AC6.tmpnetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2031001bdf8cda01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionReason = "1"	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecision = "0"	~tl981B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionTime = 00da0325df8cda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\56-e2-a6-17-91-f9	~tl981B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionReason = "1"	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecision = "0"	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl4AC6.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionTime = 00da0325df8cda01	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionTime = 00da0325df8cda01	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl981B.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDetectedUrl	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tl4AC6.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDetectedUrl	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl4AC6.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl4AC6.tmp

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exesvchost_dump_SCY - Copy.exepowershell.exepowershell.exe~tlA7A5.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tlD5C6.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl4AC6.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl981B.tmppowershell.exepowershell.exe

pid	process
2776	powershell.exe
2460	powershell.exe
2184	svchost_dump_SCY - Copy.exe
568	powershell.exe
1136	powershell.exe
2956	~tlA7A5.tmp
2748	powershell.exe
616	powershell.exe
2956	~tlA7A5.tmp
2308	svchost.exe
1504	powershell.exe
2696	powershell.exe
2464	~tlD5C6.tmp
1976	powershell.exe
600	powershell.exe
2664	svchost.exe
1264	powershell.exe
484	powershell.exe
2268	~tl4AC6.tmp
2788	powershell.exe
1012	powershell.exe
1728	svchost.exe
2012	powershell.exe
2316	powershell.exe
2420	~tl981B.tmp
1700	powershell.exe
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost_dump_SCY - Copy.exesvchost.exe~tlA7A5.tmp

description	pid	process	target process
PID 2184 wrote to memory of 2548	2184	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2184 wrote to memory of 2548	2184	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2184 wrote to memory of 2548	2184	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 2184 wrote to memory of 2668	2184	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2184 wrote to memory of 2668	2184	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2184 wrote to memory of 2668	2184	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2184 wrote to memory of 2712	2184	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2184 wrote to memory of 2712	2184	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2184 wrote to memory of 2712	2184	svchost_dump_SCY - Copy.exe	netsh.exe
PID 2184 wrote to memory of 2776	2184	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2184 wrote to memory of 2776	2184	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2184 wrote to memory of 2776	2184	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2184 wrote to memory of 2460	2184	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2184 wrote to memory of 2460	2184	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2184 wrote to memory of 2460	2184	svchost_dump_SCY - Copy.exe	powershell.exe
PID 2184 wrote to memory of 764	2184	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2184 wrote to memory of 764	2184	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2184 wrote to memory of 764	2184	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2184 wrote to memory of 332	2184	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2184 wrote to memory of 332	2184	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2184 wrote to memory of 332	2184	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 2184 wrote to memory of 2316	2184	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2184 wrote to memory of 2316	2184	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2184 wrote to memory of 2316	2184	svchost_dump_SCY - Copy.exe	svchost.exe
PID 2316 wrote to memory of 1496	2316	svchost.exe	WMIC.exe
PID 2316 wrote to memory of 1496	2316	svchost.exe	WMIC.exe
PID 2316 wrote to memory of 1496	2316	svchost.exe	WMIC.exe
PID 2316 wrote to memory of 696	2316	svchost.exe	netsh.exe
PID 2316 wrote to memory of 696	2316	svchost.exe	netsh.exe
PID 2316 wrote to memory of 696	2316	svchost.exe	netsh.exe
PID 2316 wrote to memory of 1160	2316	svchost.exe	netsh.exe
PID 2316 wrote to memory of 1160	2316	svchost.exe	netsh.exe
PID 2316 wrote to memory of 1160	2316	svchost.exe	netsh.exe
PID 2316 wrote to memory of 568	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 568	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 568	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 1136	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 1136	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 1136	2316	svchost.exe	powershell.exe
PID 2316 wrote to memory of 2956	2316	svchost.exe	~tlA7A5.tmp
PID 2316 wrote to memory of 2956	2316	svchost.exe	~tlA7A5.tmp
PID 2316 wrote to memory of 2956	2316	svchost.exe	~tlA7A5.tmp
PID 2956 wrote to memory of 2268	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2268	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2268	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2480	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2480	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2480	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2020	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2020	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2020	2956	~tlA7A5.tmp	netsh.exe
PID 2956 wrote to memory of 2748	2956	~tlA7A5.tmp	powershell.exe
PID 2956 wrote to memory of 2748	2956	~tlA7A5.tmp	powershell.exe
PID 2956 wrote to memory of 2748	2956	~tlA7A5.tmp	powershell.exe
PID 2956 wrote to memory of 616	2956	~tlA7A5.tmp	powershell.exe
PID 2956 wrote to memory of 616	2956	~tlA7A5.tmp	powershell.exe
PID 2956 wrote to memory of 616	2956	~tlA7A5.tmp	powershell.exe
PID 2956 wrote to memory of 2860	2956	~tlA7A5.tmp	schtasks.exe
PID 2956 wrote to memory of 2860	2956	~tlA7A5.tmp	schtasks.exe
PID 2956 wrote to memory of 2860	2956	~tlA7A5.tmp	schtasks.exe
PID 2956 wrote to memory of 996	2956	~tlA7A5.tmp	schtasks.exe
PID 2956 wrote to memory of 996	2956	~tlA7A5.tmp	schtasks.exe
PID 2956 wrote to memory of 996	2956	~tlA7A5.tmp	schtasks.exe
PID 2956 wrote to memory of 2308	2956	~tlA7A5.tmp	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2668

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
- Modifies Windows Firewall
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
2⤵
PID:764

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:332

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:696

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:1160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Users\Admin\AppData\Local\Temp\~tlA7A5.tmp
C:\Users\Admin\AppData\Local\Temp\~tlA7A5.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
PID:2268

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2480

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:616

C:\Windows\system32\schtasks.exe
schtasks /delete /TN "Timer"
4⤵
PID:2860

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:996

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2308

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
5⤵
PID:2340

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1704

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Users\Admin\AppData\Local\Temp\~tlD5C6.tmp
C:\Users\Admin\AppData\Local\Temp\~tlD5C6.tmp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
6⤵
PID:1980

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1716

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:600

C:\Windows\system32\taskeng.exe
taskeng.exe {6D83325B-23DB-40F2-8295-A00879C79796} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2500

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:2712

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2776

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:484

C:\Windows\TEMP\~tl4AC6.tmp
C:\Windows\TEMP\~tl4AC6.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:2952

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1476

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1012

C:\Windows\system32\taskeng.exe
taskeng.exe {2B76F4C4-D4C5-4198-B8B6-3BB627AD8710} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
3⤵
- Modifies data under HKEY_USERS
PID:400

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1056

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\TEMP\~tl981B.tmp
C:\Windows\TEMP\~tl981B.tmp
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\system32\netsh.exe
netsh int ipv4 set dynamicport tcp start=1025 num=64511
4⤵
- Modifies data under HKEY_USERS
PID:848

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2472

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
cf991352a4f4dc35956bebbcf38fcb59

SHA1
04c6212f4cde38b8b0bf929539b2172fe71ef221

SHA256
244aa7e60ceb23f478c990100f7cb0d03c6d01152f7e6b22403f543a26ba0a07

SHA512
c15a66f3d0d6c55917a79cf651518af49032ca2def291fe89b3ded7a6d8191e635b0a313516b48f56b99b2db78635fe0167b7b539d59ee526ad00473d2cda775

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MQ5879M2JYH79REVHLSF.temp
Filesize
7KB

MD5
1a05be584ef2f980e129712e6fa29dab

SHA1
243240316ba8535e9ee3eb114f24fe73f7425349

SHA256
b6e9a1185b06ffa6651e1ed2e6f8e84b266d3c44278bccf2e60873d5c80d0620

SHA512
1a8d28eb75c9a2bb284c86cf60edbddbfc33d5e639d1bad0aafcf249a543bee1063d1d59969ced048d23df2b7ef21c6551c4c6eaaae4e1834ae763013447ebe3

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.2MB

MD5
f0da454a7f974ee85a535efff8998f72

SHA1
030e8b8ec61fe0657e47e73bbe874ff1549e64eb

SHA256
891817b1e5e55b35cf723a89b3874e67658c4f347a12bd5789a54e5b31c9fd81

SHA512
343636670b72ac478a5399e4ddb04776786f6c2cbb7c92332638fa726fa77ff0603193dc803ea252a12a7e914ef3e08f5f3619a1ff09317401dc2300985eb4ea

Download Submit
C:\Windows\System\svchost.exe
Filesize
385KB

MD5
afca213ee0321f46e8bde639ae2de3e2

SHA1
4dc7621667b7cdb544c03c4b756cd0193b9d74f9

SHA256
664200ddc8a80df3122556faae95263e64a5affe4d086982e690aec7d1bae7dc

SHA512
a075fbb1648b87768ab7973ff8ba97d658dd1f5c8b07e3ba4e535d7f318ded08aab4714eff38becf61cbc2d68cb5a6bc7011b6e7cdc2ea47ecd2d143ea7cb843

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\~tlA7A5.tmp
Filesize
385KB

MD5
e802c96760e48c5139995ffb2d891f90

SHA1
bba3d278c0eb1094a26e5d2f4c099ad685371578

SHA256
cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

SHA512
97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

Download Submit
\Users\Admin\AppData\Local\Temp\~tlD5C6.tmp
Filesize
393KB

MD5
9dbdd43a2e0b032604943c252eaf634a

SHA1
9584dc66f3c1cce4210fdf827a1b4e2bb22263af

SHA256
33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

SHA512
b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

Download Submit
\Windows\system\svchost.exe
Filesize
5.2MB

MD5
5fd3d21a968f4b8a1577b5405ab1c36a

SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

Download Submit
memory/568-48-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/568-60-0x0000000002BC4000-0x0000000002BC7000-memory.dmp

Filesize
12KB

Download
memory/568-45-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/568-64-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/568-46-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/568-47-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/568-52-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/568-49-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/568-61-0x0000000002BCB000-0x0000000002C32000-memory.dmp

Filesize
412KB

Download
memory/616-146-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/616-152-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/616-151-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/616-145-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/616-150-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/616-148-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/616-149-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/1136-63-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/1136-67-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/1136-62-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/1136-66-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/1136-57-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/1136-58-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/1136-59-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/1504-178-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/1504-176-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-175-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/1504-174-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-39-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2184-26-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2184-0-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2184-36-0x000000001F3E0000-0x000000001FA16000-memory.dmp

Filesize
6.2MB

Download
memory/2184-37-0x000000001F3E0000-0x000000001FA16000-memory.dmp

Filesize
6.2MB

Download
memory/2268-306-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2268-287-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2308-168-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2308-166-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2308-194-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2308-202-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2316-65-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2316-68-0x000000001ED60000-0x000000001F242000-memory.dmp

Filesize
4.9MB

Download
memory/2316-38-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2316-123-0x0000000140000000-0x0000000140636000-memory.dmp

Filesize
6.2MB

Download
memory/2460-19-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-17-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2460-22-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-23-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-20-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2460-24-0x0000000002D24000-0x0000000002D27000-memory.dmp

Filesize
12KB

Download
memory/2460-25-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2464-233-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2464-232-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2464-206-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2464-203-0x0000000140000000-0x0000000140170400-memory.dmp

Filesize
1.4MB

Download
memory/2664-273-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2664-283-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2664-255-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2696-186-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2696-183-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-187-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2696-184-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2696-185-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-134-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-147-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-135-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2748-136-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-137-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2748-140-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2776-21-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-15-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2776-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2776-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2776-18-0x0000000002C04000-0x0000000002C07000-memory.dmp

Filesize
12KB

Download
memory/2776-16-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2776-14-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-13-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2776-12-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2956-167-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2956-128-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2956-125-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download
memory/2956-124-0x0000000140000000-0x000000014015E400-memory.dmp

Filesize
1.4MB

Download