Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
New Project 1.exe
Resource
win7-20240419-en
Errors
General
-
Target
New Project 1.exe
-
Size
486KB
-
MD5
330f592f3a03c5e2c2ed4593d227f1a8
-
SHA1
55957a8e8d405569c655923dd9414c4ec6c45a0d
-
SHA256
0f10ed177734b40d0ca45eed258f8c3ca585323e32db8f3cab7387b61de0e679
-
SHA512
497f9308a49eb1e9451675f447c5774cbaf267dd77b69e1ab494609feca17a20224ac707e54abcb090ee90e1e8187e9fa681c200bcec97ac1bc36b0ce38d15c2
-
SSDEEP
12288:cWjF6EjvVYEaZ1hJcSx3ThB6xL3s7H4sn4/OxJrinEXL/sT:p68aZ1hlxlay5HdCuL
Malware Config
Extracted
xworm
reference-elliott.gl.at.ply.gg:37420
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral2/memory/1432-0-0x0000000000400000-0x000000000047C000-memory.dmp family_umbral behavioral2/files/0x0007000000023400-64.dat family_umbral behavioral2/memory/2008-121-0x000001D771070000-0x000001D7710B0000-memory.dmp family_umbral -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral2/memory/1432-0-0x0000000000400000-0x000000000047C000-memory.dmp family_xworm behavioral2/files/0x00080000000233f9-5.dat family_xworm behavioral2/memory/4256-118-0x0000000000320000-0x000000000033C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4920 powershell.exe 4184 powershell.exe 2500 powershell.exe 4056 powershell.exe 5068 powershell.exe 4736 powershell.exe 3372 powershell.exe 1632 powershell.exe 4768 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 2.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation New Project 1.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4256 1.exe 2008 2.exe 4568 svchost.exe 768 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 discord.com 29 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 94 ip-api.com 13 ip-api.com 30 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 768 schtasks.exe 4208 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1420 wmic.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ New Project 1.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3144 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2008 2.exe 4736 powershell.exe 4736 powershell.exe 4516 powershell.exe 4516 powershell.exe 4860 powershell.exe 4860 powershell.exe 4412 powershell.exe 4412 powershell.exe 4208 powershell.exe 4208 powershell.exe 3372 powershell.exe 3372 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 4768 powershell.exe 4768 powershell.exe 4768 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 4256 1.exe 4256 1.exe 4056 powershell.exe 4056 powershell.exe 5068 powershell.exe 5068 powershell.exe 4920 powershell.exe 4920 powershell.exe 4184 powershell.exe 4184 powershell.exe 768 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4256 1.exe Token: SeDebugPrivilege 2008 2.exe Token: SeIncreaseQuotaPrivilege 4836 wmic.exe Token: SeSecurityPrivilege 4836 wmic.exe Token: SeTakeOwnershipPrivilege 4836 wmic.exe Token: SeLoadDriverPrivilege 4836 wmic.exe Token: SeSystemProfilePrivilege 4836 wmic.exe Token: SeSystemtimePrivilege 4836 wmic.exe Token: SeProfSingleProcessPrivilege 4836 wmic.exe Token: SeIncBasePriorityPrivilege 4836 wmic.exe Token: SeCreatePagefilePrivilege 4836 wmic.exe Token: SeBackupPrivilege 4836 wmic.exe Token: SeRestorePrivilege 4836 wmic.exe Token: SeShutdownPrivilege 4836 wmic.exe Token: SeDebugPrivilege 4836 wmic.exe Token: SeSystemEnvironmentPrivilege 4836 wmic.exe Token: SeRemoteShutdownPrivilege 4836 wmic.exe Token: SeUndockPrivilege 4836 wmic.exe Token: SeManageVolumePrivilege 4836 wmic.exe Token: 33 4836 wmic.exe Token: 34 4836 wmic.exe Token: 35 4836 wmic.exe Token: 36 4836 wmic.exe Token: SeIncreaseQuotaPrivilege 4836 wmic.exe Token: SeSecurityPrivilege 4836 wmic.exe Token: SeTakeOwnershipPrivilege 4836 wmic.exe Token: SeLoadDriverPrivilege 4836 wmic.exe Token: SeSystemProfilePrivilege 4836 wmic.exe Token: SeSystemtimePrivilege 4836 wmic.exe Token: SeProfSingleProcessPrivilege 4836 wmic.exe Token: SeIncBasePriorityPrivilege 4836 wmic.exe Token: SeCreatePagefilePrivilege 4836 wmic.exe Token: SeBackupPrivilege 4836 wmic.exe Token: SeRestorePrivilege 4836 wmic.exe Token: SeShutdownPrivilege 4836 wmic.exe Token: SeDebugPrivilege 4836 wmic.exe Token: SeSystemEnvironmentPrivilege 4836 wmic.exe Token: SeRemoteShutdownPrivilege 4836 wmic.exe Token: SeUndockPrivilege 4836 wmic.exe Token: SeManageVolumePrivilege 4836 wmic.exe Token: 33 4836 wmic.exe Token: 34 4836 wmic.exe Token: 35 4836 wmic.exe Token: 36 4836 wmic.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeIncreaseQuotaPrivilege 1472 wmic.exe Token: SeSecurityPrivilege 1472 wmic.exe Token: SeTakeOwnershipPrivilege 1472 wmic.exe Token: SeLoadDriverPrivilege 1472 wmic.exe Token: SeSystemProfilePrivilege 1472 wmic.exe Token: SeSystemtimePrivilege 1472 wmic.exe Token: SeProfSingleProcessPrivilege 1472 wmic.exe Token: SeIncBasePriorityPrivilege 1472 wmic.exe Token: SeCreatePagefilePrivilege 1472 wmic.exe Token: SeBackupPrivilege 1472 wmic.exe Token: SeRestorePrivilege 1472 wmic.exe Token: SeShutdownPrivilege 1472 wmic.exe Token: SeDebugPrivilege 1472 wmic.exe Token: SeSystemEnvironmentPrivilege 1472 wmic.exe Token: SeRemoteShutdownPrivilege 1472 wmic.exe Token: SeUndockPrivilege 1472 wmic.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4256 1.exe 768 svchost.exe 1528 LogonUI.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1432 wrote to memory of 4256 1432 New Project 1.exe 83 PID 1432 wrote to memory of 4256 1432 New Project 1.exe 83 PID 1432 wrote to memory of 2008 1432 New Project 1.exe 84 PID 1432 wrote to memory of 2008 1432 New Project 1.exe 84 PID 2008 wrote to memory of 4836 2008 2.exe 86 PID 2008 wrote to memory of 4836 2008 2.exe 86 PID 2008 wrote to memory of 5020 2008 2.exe 90 PID 2008 wrote to memory of 5020 2008 2.exe 90 PID 2008 wrote to memory of 4736 2008 2.exe 92 PID 2008 wrote to memory of 4736 2008 2.exe 92 PID 2008 wrote to memory of 4516 2008 2.exe 94 PID 2008 wrote to memory of 4516 2008 2.exe 94 PID 2008 wrote to memory of 4860 2008 2.exe 96 PID 2008 wrote to memory of 4860 2008 2.exe 96 PID 2008 wrote to memory of 4412 2008 2.exe 98 PID 2008 wrote to memory of 4412 2008 2.exe 98 PID 2008 wrote to memory of 1472 2008 2.exe 102 PID 2008 wrote to memory of 1472 2008 2.exe 102 PID 2008 wrote to memory of 4468 2008 2.exe 104 PID 2008 wrote to memory of 4468 2008 2.exe 104 PID 2008 wrote to memory of 2920 2008 2.exe 106 PID 2008 wrote to memory of 2920 2008 2.exe 106 PID 2008 wrote to memory of 4208 2008 2.exe 108 PID 2008 wrote to memory of 4208 2008 2.exe 108 PID 2008 wrote to memory of 1420 2008 2.exe 110 PID 2008 wrote to memory of 1420 2008 2.exe 110 PID 4256 wrote to memory of 3372 4256 1.exe 113 PID 4256 wrote to memory of 3372 4256 1.exe 113 PID 4256 wrote to memory of 1632 4256 1.exe 116 PID 4256 wrote to memory of 1632 4256 1.exe 116 PID 4256 wrote to memory of 4768 4256 1.exe 118 PID 4256 wrote to memory of 4768 4256 1.exe 118 PID 4256 wrote to memory of 2500 4256 1.exe 120 PID 4256 wrote to memory of 2500 4256 1.exe 120 PID 2008 wrote to memory of 1556 2008 2.exe 122 PID 2008 wrote to memory of 1556 2008 2.exe 122 PID 1556 wrote to memory of 3144 1556 cmd.exe 124 PID 1556 wrote to memory of 3144 1556 cmd.exe 124 PID 4256 wrote to memory of 768 4256 1.exe 126 PID 4256 wrote to memory of 768 4256 1.exe 126 PID 768 wrote to memory of 4056 768 svchost.exe 142 PID 768 wrote to memory of 4056 768 svchost.exe 142 PID 768 wrote to memory of 5068 768 svchost.exe 144 PID 768 wrote to memory of 5068 768 svchost.exe 144 PID 768 wrote to memory of 4920 768 svchost.exe 146 PID 768 wrote to memory of 4920 768 svchost.exe 146 PID 768 wrote to memory of 4184 768 svchost.exe 148 PID 768 wrote to memory of 4184 768 svchost.exe 148 PID 768 wrote to memory of 4208 768 svchost.exe 150 PID 768 wrote to memory of 4208 768 svchost.exe 150 PID 768 wrote to memory of 1924 768 svchost.exe 154 PID 768 wrote to memory of 1924 768 svchost.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5020 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"3⤵
- Creates scheduled task(s)
PID:768
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"3⤵
- Views/modifies file attributes
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:4468
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:1420
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:3144
-
-
-
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Executes dropped EXE
PID:4568
-
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"2⤵
- Creates scheduled task(s)
PID:4208
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /f /s /t 02⤵PID:1924
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38e1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
948B
MD5c65738617888921a153bd9b1ef516ee7
SHA15245e71ea3c181d76320c857b639272ac9e079b1
SHA2564640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA5122e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa
-
Filesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
Filesize
1KB
MD5f341c638900fa7d6bea05d1cf0c91e90
SHA1b91e3dc9ed7acdb0418aaf98be8dbfefd7365b35
SHA2561180a0e5cd1d7e9d2db4187bc9538b97953f98805d1209727a257ad5613846b2
SHA512d75b5dddd7e51d6f373de4e6d5373cb43d2af645e793d6bcbf65005874be9615866b3db4e20540880077ba6dabeccbd779af470ebbe55522dc40f9288a213987
-
Filesize
64B
MD5a67eee085e8f68aaffbfdb51503d6561
SHA129db9b41945c6a5d27d5836a1c780668eded65a0
SHA2566e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4
SHA5127923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5929039f18a6c7352b68db3eee415ee47
SHA16711f5be6de777b7e1ff21fa43d05d83c90e3ef2
SHA256c0038cbc4c22ad0eced4c7576a6fd33fa635e72b65a85a0a047538a8e038c487
SHA5129fcc5aeb4aca36867d8cbfd33366fed75caa5802548bb543483d8441252a8fc8655bfa9a927cea61d5c037efbe6a00a047322192b51bd9977cc0fb2a2aa43faa
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD53f038ac2e2ceadad0f78317ea7de6881
SHA1f2ee66d1ab22d5594426a26e9d2628ce29b037a7
SHA256475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7
SHA512f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
88KB
MD54e4ffd6981f1d7df1e06e02c7a52e86a
SHA1970d227a122a826f587fb49c694a422ec6aff1e0
SHA256353010e5cbdfb234aadfcb40b517b51b24bbac81b64d794d5d8f8b1cd0cd6031
SHA5121f75401fe015416453119bb92ea46c71412f342fe4bf1170bc2655a1c4f1fb4344bdff64df8dfd54f8203b30445225a70f12790432d3b59693e96de2fa5750ec
-
Filesize
230KB
MD58068d967a754039c953d677ed75caa65
SHA1c6ca62d0e3f84f4018546cdf40b14ac80b06af95
SHA256b2811334ba1ec945f7f2f1b1976e72dd634a4cf8b5679ceb4c90816d5b646b11
SHA5128f8f9b0c50f3178daa1df6ce16755c7a0de24872a344fe6b93d1a9b11cfad2faa1ed5ad58c6ac9904b889188d8efaba2d51e4240e7a813fffe6878ec8970954c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
776B
MD5862e3a25ddd4cfbd981cdcf254a6f656
SHA1cba184e079b837bf9644fc3c87fa943c6877fcf4
SHA256b8893f2135993167055bf26f6125fb536eedc59cb090fc561ab7a222bb8de28d
SHA512d10fd782853eb6b2f3baaadbf29d963c842674f270a01c3abdc133e96eafbc678b1844f1ecb4c9308a1da7fe159d49f5fee03bbbf787ff187212ebfbc46e5069