Resubmissions
12-04-2024 14:13
240412-rjrz5aba72 812-04-2024 14:12
240412-rh8aqaba68 712-04-2024 14:05
240412-rd9mzsea7x 812-04-2024 14:05
240412-rd82fsea7v 812-04-2024 14:05
240412-rd8exsea7t 809-04-2024 07:05
240409-hws9aacd6z 809-04-2024 07:05
240409-hwljfacd6x 809-04-2024 07:04
240409-hwbz1acd6t 809-04-2024 07:03
240409-hvcvxacd3y 815-01-2024 20:15
240115-y1q8gsfdf2 7Analysis
-
max time kernel
1800s -
max time network
1808s -
platform
windows10-1703_x64 -
resource
win10-20240319-en -
resource tags
arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system -
submitted
12-04-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10-20240319-en
Behavioral task
behavioral3
Sample
tmp.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
tmp.exe
Resource
win11-20240221-en
General
-
Target
tmp.exe
-
Size
9.4MB
-
MD5
db3edf03a8a2c8e96fe2d2deaaec76ff
-
SHA1
2d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
-
SHA256
a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
-
SHA512
121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
SSDEEP
98304:kT2OhoLUWeKqyubAguIYylB9RK0RU4lFp887VO0J/yLaeWwGvJldmxe:VOE/IYypvU4loRpK
Malware Config
Signatures
-
Contacts a large (551) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 22 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 4920 netsh.exe 3624 netsh.exe 4308 netsh.exe 2848 netsh.exe 4420 netsh.exe 5036 netsh.exe 4376 netsh.exe 5036 netsh.exe 1468 netsh.exe 2240 netsh.exe 4676 netsh.exe 632 netsh.exe 4808 netsh.exe 3916 netsh.exe 1812 netsh.exe 4352 netsh.exe 212 netsh.exe 3076 netsh.exe 1172 netsh.exe 3388 netsh.exe 3628 netsh.exe 4532 netsh.exe -
Executes dropped EXE 12 IoCs
Processes:
svchost.exe~tl76C3.tmpsvchost.exe~tl5A3D.tmpsvchost.exe~tl368A.tmpsvchost.exe~tl9A96.tmpsvchost.exe~tl46E.tmpsvchost.exe~tl6D0E.tmppid process 4916 svchost.exe 3892 ~tl76C3.tmp 3952 svchost.exe 4016 ~tl5A3D.tmp 4312 svchost.exe 4504 ~tl368A.tmp 1660 svchost.exe 1904 ~tl9A96.tmp 3932 svchost.exe 4212 ~tl46E.tmp 3184 svchost.exe 3372 ~tl6D0E.tmp -
Drops file in System32 directory 42 IoCs
Processes:
svchost.exe~tl9A96.tmp~tl46E.tmpsvchost.exesvchost.exepowershell.exepowershell.exe~tl6D0E.tmpsvchost.exepowershell.exepowershell.exepowershell.exepowershell.exe~tl368A.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72F69839B678B3EFA9DBC1C158DE06B9 ~tl9A96.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72F69839B678B3EFA9DBC1C158DE06B9 ~tl9A96.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm ~tl46E.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ~tl9A96.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm ~tl6D0E.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm ~tl9A96.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ~tl368A.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm ~tl368A.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\DF2NDXKH.htm ~tl9A96.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ~tl9A96.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ~tl9A96.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ~tl6D0E.tmp File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ~tl46E.tmp -
Drops file in Windows directory 11 IoCs
Processes:
tmp.exesvchost.exe~tl76C3.tmpsvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\System\xxx1.bak tmp.exe File opened for modification C:\Windows\System\svchost.exe tmp.exe File created C:\Windows\System\xxx1.bak svchost.exe File opened for modification C:\Windows\System\svchost.exe ~tl76C3.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\svchost.exe tmp.exe File created C:\Windows\System\xxx1.bak ~tl76C3.tmp File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5024 schtasks.exe 4536 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
netsh.exepowershell.exepowershell.exepowershell.exe~tl6D0E.tmppowershell.exesvchost.exepowershell.exe~tl46E.tmp~tl9A96.tmppowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exenetsh.exepowershell.exesvchost.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ~tl6D0E.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ~tl46E.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 ~tl9A96.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ~tl9A96.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ~tl9A96.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exetmp.exepowershell.exepowershell.exe~tl76C3.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl5A3D.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe~tl368A.tmppowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepid process 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 3152 tmp.exe 3152 tmp.exe 1172 powershell.exe 1172 powershell.exe 1172 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 3892 ~tl76C3.tmp 3892 ~tl76C3.tmp 1236 powershell.exe 3052 powershell.exe 1236 powershell.exe 3052 powershell.exe 3052 powershell.exe 1236 powershell.exe 3892 ~tl76C3.tmp 3892 ~tl76C3.tmp 3952 svchost.exe 3952 svchost.exe 1452 powershell.exe 1452 powershell.exe 3600 powershell.exe 3600 powershell.exe 1452 powershell.exe 3600 powershell.exe 4016 ~tl5A3D.tmp 4016 ~tl5A3D.tmp 3788 powershell.exe 3788 powershell.exe 5076 powershell.exe 5076 powershell.exe 3788 powershell.exe 5076 powershell.exe 4312 svchost.exe 4312 svchost.exe 3472 powershell.exe 3472 powershell.exe 2960 powershell.exe 2960 powershell.exe 2960 powershell.exe 3472 powershell.exe 4504 ~tl368A.tmp 4504 ~tl368A.tmp 3936 powershell.exe 3936 powershell.exe 4592 powershell.exe 4592 powershell.exe 3936 powershell.exe 4592 powershell.exe 1660 svchost.exe 1660 svchost.exe 1080 powershell.exe 1412 powershell.exe 1080 powershell.exe 1080 powershell.exe 1412 powershell.exe 1412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeIncreaseQuotaPrivilege 5116 powershell.exe Token: SeSecurityPrivilege 5116 powershell.exe Token: SeTakeOwnershipPrivilege 5116 powershell.exe Token: SeLoadDriverPrivilege 5116 powershell.exe Token: SeSystemProfilePrivilege 5116 powershell.exe Token: SeSystemtimePrivilege 5116 powershell.exe Token: SeProfSingleProcessPrivilege 5116 powershell.exe Token: SeIncBasePriorityPrivilege 5116 powershell.exe Token: SeCreatePagefilePrivilege 5116 powershell.exe Token: SeBackupPrivilege 5116 powershell.exe Token: SeRestorePrivilege 5116 powershell.exe Token: SeShutdownPrivilege 5116 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeSystemEnvironmentPrivilege 5116 powershell.exe Token: SeRemoteShutdownPrivilege 5116 powershell.exe Token: SeUndockPrivilege 5116 powershell.exe Token: SeManageVolumePrivilege 5116 powershell.exe Token: 33 5116 powershell.exe Token: 34 5116 powershell.exe Token: 35 5116 powershell.exe Token: 36 5116 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeIncreaseQuotaPrivilege 1172 powershell.exe Token: SeSecurityPrivilege 1172 powershell.exe Token: SeTakeOwnershipPrivilege 1172 powershell.exe Token: SeLoadDriverPrivilege 1172 powershell.exe Token: SeSystemProfilePrivilege 1172 powershell.exe Token: SeSystemtimePrivilege 1172 powershell.exe Token: SeProfSingleProcessPrivilege 1172 powershell.exe Token: SeIncBasePriorityPrivilege 1172 powershell.exe Token: SeCreatePagefilePrivilege 1172 powershell.exe Token: SeBackupPrivilege 1172 powershell.exe Token: SeRestorePrivilege 1172 powershell.exe Token: SeShutdownPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeSystemEnvironmentPrivilege 1172 powershell.exe Token: SeRemoteShutdownPrivilege 1172 powershell.exe Token: SeUndockPrivilege 1172 powershell.exe Token: SeManageVolumePrivilege 1172 powershell.exe Token: 33 1172 powershell.exe Token: 34 1172 powershell.exe Token: 35 1172 powershell.exe Token: 36 1172 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeIncreaseQuotaPrivilege 1236 powershell.exe Token: SeSecurityPrivilege 1236 powershell.exe Token: SeTakeOwnershipPrivilege 1236 powershell.exe Token: SeLoadDriverPrivilege 1236 powershell.exe Token: SeSystemProfilePrivilege 1236 powershell.exe Token: SeSystemtimePrivilege 1236 powershell.exe Token: SeProfSingleProcessPrivilege 1236 powershell.exe Token: SeIncBasePriorityPrivilege 1236 powershell.exe Token: SeCreatePagefilePrivilege 1236 powershell.exe Token: SeBackupPrivilege 1236 powershell.exe Token: SeRestorePrivilege 1236 powershell.exe Token: SeShutdownPrivilege 1236 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeSystemEnvironmentPrivilege 1236 powershell.exe Token: SeRemoteShutdownPrivilege 1236 powershell.exe Token: SeUndockPrivilege 1236 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exesvchost.exe~tl76C3.tmpsvchost.exe~tl5A3D.tmpsvchost.exedescription pid process target process PID 3152 wrote to memory of 5116 3152 tmp.exe powershell.exe PID 3152 wrote to memory of 5116 3152 tmp.exe powershell.exe PID 3152 wrote to memory of 1632 3152 tmp.exe powershell.exe PID 3152 wrote to memory of 1632 3152 tmp.exe powershell.exe PID 3152 wrote to memory of 4604 3152 tmp.exe schtasks.exe PID 3152 wrote to memory of 4604 3152 tmp.exe schtasks.exe PID 3152 wrote to memory of 5024 3152 tmp.exe schtasks.exe PID 3152 wrote to memory of 5024 3152 tmp.exe schtasks.exe PID 3152 wrote to memory of 4916 3152 tmp.exe svchost.exe PID 3152 wrote to memory of 4916 3152 tmp.exe svchost.exe PID 4916 wrote to memory of 1172 4916 svchost.exe powershell.exe PID 4916 wrote to memory of 1172 4916 svchost.exe powershell.exe PID 4916 wrote to memory of 5008 4916 svchost.exe powershell.exe PID 4916 wrote to memory of 5008 4916 svchost.exe powershell.exe PID 4916 wrote to memory of 3892 4916 svchost.exe ~tl76C3.tmp PID 4916 wrote to memory of 3892 4916 svchost.exe ~tl76C3.tmp PID 3892 wrote to memory of 432 3892 ~tl76C3.tmp netsh.exe PID 3892 wrote to memory of 432 3892 ~tl76C3.tmp netsh.exe PID 3892 wrote to memory of 632 3892 ~tl76C3.tmp netsh.exe PID 3892 wrote to memory of 632 3892 ~tl76C3.tmp netsh.exe PID 3892 wrote to memory of 4920 3892 ~tl76C3.tmp netsh.exe PID 3892 wrote to memory of 4920 3892 ~tl76C3.tmp netsh.exe PID 3892 wrote to memory of 1236 3892 ~tl76C3.tmp powershell.exe PID 3892 wrote to memory of 1236 3892 ~tl76C3.tmp powershell.exe PID 3892 wrote to memory of 3052 3892 ~tl76C3.tmp powershell.exe PID 3892 wrote to memory of 3052 3892 ~tl76C3.tmp powershell.exe PID 3892 wrote to memory of 2760 3892 ~tl76C3.tmp schtasks.exe PID 3892 wrote to memory of 2760 3892 ~tl76C3.tmp schtasks.exe PID 3892 wrote to memory of 4536 3892 ~tl76C3.tmp schtasks.exe PID 3892 wrote to memory of 4536 3892 ~tl76C3.tmp schtasks.exe PID 3892 wrote to memory of 3952 3892 ~tl76C3.tmp svchost.exe PID 3892 wrote to memory of 3952 3892 ~tl76C3.tmp svchost.exe PID 3952 wrote to memory of 3988 3952 svchost.exe netsh.exe PID 3952 wrote to memory of 3988 3952 svchost.exe netsh.exe PID 3952 wrote to memory of 3624 3952 svchost.exe netsh.exe PID 3952 wrote to memory of 3624 3952 svchost.exe netsh.exe PID 3952 wrote to memory of 5036 3952 svchost.exe netsh.exe PID 3952 wrote to memory of 5036 3952 svchost.exe netsh.exe PID 3952 wrote to memory of 1452 3952 svchost.exe powershell.exe PID 3952 wrote to memory of 1452 3952 svchost.exe powershell.exe PID 3952 wrote to memory of 3600 3952 svchost.exe powershell.exe PID 3952 wrote to memory of 3600 3952 svchost.exe powershell.exe PID 3952 wrote to memory of 4016 3952 svchost.exe ~tl5A3D.tmp PID 3952 wrote to memory of 4016 3952 svchost.exe ~tl5A3D.tmp PID 4016 wrote to memory of 1456 4016 ~tl5A3D.tmp netsh.exe PID 4016 wrote to memory of 1456 4016 ~tl5A3D.tmp netsh.exe PID 4016 wrote to memory of 4808 4016 ~tl5A3D.tmp netsh.exe PID 4016 wrote to memory of 4808 4016 ~tl5A3D.tmp netsh.exe PID 4016 wrote to memory of 212 4016 ~tl5A3D.tmp netsh.exe PID 4016 wrote to memory of 212 4016 ~tl5A3D.tmp netsh.exe PID 4016 wrote to memory of 3788 4016 ~tl5A3D.tmp powershell.exe PID 4016 wrote to memory of 3788 4016 ~tl5A3D.tmp powershell.exe PID 4016 wrote to memory of 5076 4016 ~tl5A3D.tmp powershell.exe PID 4016 wrote to memory of 5076 4016 ~tl5A3D.tmp powershell.exe PID 4312 wrote to memory of 3128 4312 svchost.exe netsh.exe PID 4312 wrote to memory of 3128 4312 svchost.exe netsh.exe PID 4312 wrote to memory of 3076 4312 svchost.exe netsh.exe PID 4312 wrote to memory of 3076 4312 svchost.exe netsh.exe PID 4312 wrote to memory of 3916 4312 svchost.exe netsh.exe PID 4312 wrote to memory of 3916 4312 svchost.exe netsh.exe PID 4312 wrote to memory of 3472 4312 svchost.exe powershell.exe PID 4312 wrote to memory of 3472 4312 svchost.exe powershell.exe PID 4312 wrote to memory of 2960 4312 svchost.exe powershell.exe PID 4312 wrote to memory of 2960 4312 svchost.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:4604
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:5024 -
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\~tl76C3.tmpC:\Users\Admin\AppData\Local\Temp\~tl76C3.tmp3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵PID:432
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:632 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"4⤵PID:2760
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
PID:4536 -
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645115⤵PID:3988
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:3624 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\~tl5A3D.tmpC:\Users\Admin\AppData\Local\Temp\~tl5A3D.tmp5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645116⤵PID:1456
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4808 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645112⤵
- Modifies data under HKEY_USERS
PID:3128 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:3076 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:3916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\TEMP\~tl368A.tmpC:\Windows\TEMP\~tl368A.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4504 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵PID:3136
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1172 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:4376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4592
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1660 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645112⤵PID:2564
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4308 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:5036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1412 -
C:\Windows\TEMP\~tl9A96.tmpC:\Windows\TEMP\~tl9A96.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1904 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵PID:3604
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:3388 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:868
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3932 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645112⤵PID:4940
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4420 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:3628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2176 -
C:\Windows\TEMP\~tl46E.tmpC:\Windows\TEMP\~tl46E.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4212 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵PID:4820
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1468 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3508
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3184 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645112⤵PID:1448
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4532 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4112 -
C:\Windows\TEMP\~tl6D0E.tmpC:\Windows\TEMP\~tl6D0E.tmp2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3372 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645113⤵
- Modifies data under HKEY_USERS
PID:4912 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2240 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:4676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1516
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD50a0459bda803302e2cf523df290c21eb
SHA1230dbe5c1c04854f3805cf0dba1d45b6329126c2
SHA256cc42995442405d73655067690a9558d4b5bb9d15589447d4ae2a9b8465d0331a
SHA512f4628f5e95ce1c57eae122ed78d7e73f57a9166b02acd5aac28e86eccf743fc37b1909ea30f4d513d400028cccce56e449b6f1eeb579f21fe734019aae6fca6c
-
Filesize
1KB
MD594db75b896d0aac2566638f1b52777b6
SHA149f2bc55d4c5710a102f2edaab8deeddec0ca8b4
SHA2568fc7e7f05374c437b32c3614dc2bed703456ed4800bd91a603551f37c1159e12
SHA5121a61bc80830d9735a7da5744b32a58a3b0a97305e2de8f9264561d10513ea14684201e3e0af48808f0ea8c2e0ba89ace5ad9d8971c715401a5c03e8b45d61298
-
Filesize
1KB
MD5d02618af1b88f14aeca4d943f7096a96
SHA1ee1fbfa20916814cf460a28626a61a13cbf5c5e6
SHA2569df1cbf203996da03dc0f2cd1924b10b5f4cf1458e424568c7f06951fea3c846
SHA51275ff3deea3de0300c309513ea279a55f6fac91f9577942426b1d88e18e813e98554457b0f3cbabbf896970d819cabfcbe5bb3dfc524d68ba708bd38f7d82ee62
-
Filesize
1KB
MD5a360cf8015ee77017ee6d2209d0fa001
SHA1f4ceb96c863f143958956210be30adf92b195f48
SHA256b8df81ff996375a85b8d6df7d8b3741864f6fb1e258408f174eca645b8ed0aae
SHA5122a80d040146abeb516e3c19a6e5d4aac3353a8ba94fcb9e30e8e4ad6262c63ca7b1e50eb3eea8739ca9a808893833d6d4e717aca8c7c3aac667cc8126a104fb2
-
Filesize
1KB
MD579071d221e4687e70188b41faae7bcc3
SHA15077308beaae78da26975748dc6065c686ffd50e
SHA25657cb4484ff1fd9d7a9d7bf836fc5969db306b25f7dc5e9408071c3460ffccd5a
SHA512411852ffafd2ee2d13dd97e1e2bd3f077c41ede7de4e4fe292df3b4ede878d10ed24bbbefb3e0242bb26a9cf15016856df69e03606fc8e29c3649dd404a2945e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg
Filesize393KB
MD572e28e2092a43e0d70289f62bec20e65
SHA1944f2b81392ee946f4767376882c5c1bda6dddb5
SHA2566ec8fe67dc01d8c3de9cfc94ca49ae25e46ed61f5a48f1a956ef269efa4ae08f
SHA51231c0587cd1df4d63088973d72a015b144b64411031ac4c1904c54c4f43b5990b8016cc6d29e3b0238f86432005588c72b98806306918fdaf2786498de340e466
-
Filesize
9.4MB
MD5db3edf03a8a2c8e96fe2d2deaaec76ff
SHA12d9c9f3a5d06f11c5c881a9df90ba33cc2894ac1
SHA256a40cac0b6ee1729cdb6fca3c950e533b913c2729afbd2fde045e86cc62c0ff60
SHA512121b6ba2c7a91a8639b4b88d9965528df245534ec65c4f1d463dbcc3aa2719debb4417a1a7d919527155097cc00521576b25b2d061b149d0c8b82ca999054135
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5478f1c1fcff584f4f440469ed71d2d43
SHA10900e9dc39580d527c145715f985a5a86e80b66c
SHA256c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb
SHA5124ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5f1d0fa0fbb2eaa741db1e01e7c35e998
SHA19415ce4777b3ced19dd08ee3b36f93538fcd0b9e
SHA2568990d961219b8fc613b4076ec95f703d828bee8573d46ae4deb34dfaeef729ee
SHA5126680d8abbbad9029362330f183cd21a1092c0c66cbd1c31dfba6771812b73f1796097d97b656af6e745dd6d7e9b49bb0ada6589127217a89ad3acc06e1a448e6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD559b7940255e695e56f2ff07ec776cc1b
SHA1d201152ec6c8f2d919023d1e61d0bb21c454aadd
SHA2566b9f7fc997d0432bed14ea44b70f540fbb71b281ce60d9eee97336e07242c6b7
SHA512c3c1b0b0b711896faf2ae0505e24e0ccc25ca01dc1996b25448b6e0c3db691f6c13ce6c3a77c9ea6292f9603d9aeb0cdfd34056adbf47132cf0e9af3121aa5ff
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD523d4e2e3a278c84084aaad203a1cb633
SHA12d05b8d0663bc1aec39166588b3c7842e9404333
SHA2560767e7341e69b30596fae5e3acf11fe36de203206b320eedaaa533b2a735ab9a
SHA51248aabc0aff5304c639d0952337871278dba135306e9896caa53d85f1d18db2b955ff0dbcdadf509bebff5e7b3a58e72f4ec9a203a01ea2492a901f0f108dda0d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5890f33594f0e1f1a0ccfb292c152470b
SHA1a79f767eda24dc2ac3b80150f91c2d664dff263b
SHA256eb04c89db705f473a42a954f66d4ee987a14fdd684b3fb275a1a15c064c0089f
SHA51243f933d479a2ae9352cca9573c0383bafe4abd06b6c88746daf04d64c57c92cb6a0f3c6e03d0c2ee3248a462d849341e413d184f21e77f159833a4b1da0b40a3
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5216f88c3470119ed38f9618b6b29f468
SHA1f28f7947ea3d860513c24c3f09887545c79a1a3f
SHA2564b4e4a6bc61cd7f9d510f284f5f52fdcfc161da75626a362d12b629171927c91
SHA5124a0288fc89463e7f2f2fae6533cff173fb98d526b6f997a077138c865fa9792a56111bdb0a106a2ddaf9e898933a0388ccca99d79c1c229dd1eae3d99456e120
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5a70e9e763172da7006a43773d2968615
SHA1dbddc97e6281e0e9c644994086cbcddc4595fb3a
SHA256961be0313ff5dc729d73ecc4dea4969098232ef39b8950683b7ac114f3c11b4a
SHA51239798d75be1b4774a6e26c0a072b30c70e5e6af2d9965fc47835e9112e969b00c405fa4da8a725267c9f1031228a68bc4153f8c673b2e57df169d73ec6ad61ac
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5102f8b661aa8d01905ad1adac3340ad7
SHA150c3678a6997d45aa2c1126ad9a727cd9bf6089a
SHA256ac75b26a8c473469f80788553c2dcdd932799a6524ecf593b8b1c363c626c808
SHA51254acd352242621c1ce8221fd7075060bedb58b1f3009d0735f63e0173f33e2db1ff8a9d01b4db978fb60f9d3cb9fc1cc221785aeb3fc3b840edaaf4b1dc9dc0d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe