Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 15:22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe
Resource
win7-20240215-en
General
-
Target
SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe
-
Size
104KB
-
MD5
9a24a00438a4d06d64fe4820061a1b45
-
SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842
-
SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
-
SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629
-
SSDEEP
1536:KlULHCIFmav82fkJMTZ0imzS6ussgExLXCxnbKG:wUDeO9TZH6SngYsbKG
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
syslmgrsvc.exesysblardsv.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysblardsv.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
3270521601.exewupgrdsv.exedescription pid Process procid_target PID 2700 created 3404 2700 3270521601.exe 56 PID 2700 created 3404 2700 3270521601.exe 56 PID 536 created 3404 536 wupgrdsv.exe 56 PID 536 created 3404 536 wupgrdsv.exe 56 -
Processes:
syslmgrsvc.exewinqlsdrvcs.exesysblardsv.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winqlsdrvcs.exe -
XMRig Miner payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/536-146-0x00007FF71B130000-0x00007FF71B6A6000-memory.dmp xmrig behavioral2/memory/2464-160-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-164-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-165-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-166-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-169-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-172-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-173-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-174-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig behavioral2/memory/2464-175-0x00007FF6A8280000-0x00007FF6A8A6F000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
Processes:
sysblardsv.exe2360721663.exesyslmgrsvc.exe2737513387.exewinqlsdrvcs.exe255594601.exe140161133.exe3669427480.exeWindows Security Upgrade Service.exe195428378.exe1828628891.exe1589219664.exe2186619390.exe572220102.exe3270521601.exeWindows Security Upgrade Service.exe3318910725.exewupgrdsv.exe2841510448.exe2563311114.exe81145897.exeWindows Security Upgrade Service.exe1181929981.exepid Process 4804 sysblardsv.exe 4636 2360721663.exe 228 syslmgrsvc.exe 2276 2737513387.exe 3504 winqlsdrvcs.exe 5108 255594601.exe 3192 140161133.exe 404 3669427480.exe 4352 Windows Security Upgrade Service.exe 4544 195428378.exe 1536 1828628891.exe 1824 1589219664.exe 2376 2186619390.exe 4596 572220102.exe 2700 3270521601.exe 3484 Windows Security Upgrade Service.exe 2924 3318910725.exe 536 wupgrdsv.exe 3972 2841510448.exe 4656 2563311114.exe 4172 81145897.exe 4992 Windows Security Upgrade Service.exe 5100 1181929981.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
syslmgrsvc.exesysblardsv.exewinqlsdrvcs.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winqlsdrvcs.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe2360721663.exe2737513387.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe" SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe" 2360721663.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winqlsdrvcs.exe" 2737513387.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wupgrdsv.exedescription pid Process procid_target PID 536 set thread context of 2464 536 wupgrdsv.exe 124 -
Drops file in Windows directory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe2360721663.exe2737513387.exedescription ioc Process File created C:\Windows\sysblardsv.exe SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe File opened for modification C:\Windows\sysblardsv.exe SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe File created C:\Windows\syslmgrsvc.exe 2360721663.exe File opened for modification C:\Windows\syslmgrsvc.exe 2360721663.exe File created C:\Windows\winqlsdrvcs.exe 2737513387.exe File opened for modification C:\Windows\winqlsdrvcs.exe 2737513387.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
3270521601.exepowershell.exewupgrdsv.exepowershell.exepid Process 2700 3270521601.exe 2700 3270521601.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2700 3270521601.exe 2700 3270521601.exe 536 wupgrdsv.exe 536 wupgrdsv.exe 1484 powershell.exe 1484 powershell.exe 1484 powershell.exe 536 wupgrdsv.exe 536 wupgrdsv.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
syslmgrsvc.exepid Process 228 syslmgrsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2368 powershell.exe Token: SeIncreaseQuotaPrivilege 2368 powershell.exe Token: SeSecurityPrivilege 2368 powershell.exe Token: SeTakeOwnershipPrivilege 2368 powershell.exe Token: SeLoadDriverPrivilege 2368 powershell.exe Token: SeSystemProfilePrivilege 2368 powershell.exe Token: SeSystemtimePrivilege 2368 powershell.exe Token: SeProfSingleProcessPrivilege 2368 powershell.exe Token: SeIncBasePriorityPrivilege 2368 powershell.exe Token: SeCreatePagefilePrivilege 2368 powershell.exe Token: SeBackupPrivilege 2368 powershell.exe Token: SeRestorePrivilege 2368 powershell.exe Token: SeShutdownPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeSystemEnvironmentPrivilege 2368 powershell.exe Token: SeRemoteShutdownPrivilege 2368 powershell.exe Token: SeUndockPrivilege 2368 powershell.exe Token: SeManageVolumePrivilege 2368 powershell.exe Token: 33 2368 powershell.exe Token: 34 2368 powershell.exe Token: 35 2368 powershell.exe Token: 36 2368 powershell.exe Token: SeIncreaseQuotaPrivilege 2368 powershell.exe Token: SeSecurityPrivilege 2368 powershell.exe Token: SeTakeOwnershipPrivilege 2368 powershell.exe Token: SeLoadDriverPrivilege 2368 powershell.exe Token: SeSystemProfilePrivilege 2368 powershell.exe Token: SeSystemtimePrivilege 2368 powershell.exe Token: SeProfSingleProcessPrivilege 2368 powershell.exe Token: SeIncBasePriorityPrivilege 2368 powershell.exe Token: SeCreatePagefilePrivilege 2368 powershell.exe Token: SeBackupPrivilege 2368 powershell.exe Token: SeRestorePrivilege 2368 powershell.exe Token: SeShutdownPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeSystemEnvironmentPrivilege 2368 powershell.exe Token: SeRemoteShutdownPrivilege 2368 powershell.exe Token: SeUndockPrivilege 2368 powershell.exe Token: SeManageVolumePrivilege 2368 powershell.exe Token: 33 2368 powershell.exe Token: 34 2368 powershell.exe Token: 35 2368 powershell.exe Token: 36 2368 powershell.exe Token: SeIncreaseQuotaPrivilege 2368 powershell.exe Token: SeSecurityPrivilege 2368 powershell.exe Token: SeTakeOwnershipPrivilege 2368 powershell.exe Token: SeLoadDriverPrivilege 2368 powershell.exe Token: SeSystemProfilePrivilege 2368 powershell.exe Token: SeSystemtimePrivilege 2368 powershell.exe Token: SeProfSingleProcessPrivilege 2368 powershell.exe Token: SeIncBasePriorityPrivilege 2368 powershell.exe Token: SeCreatePagefilePrivilege 2368 powershell.exe Token: SeBackupPrivilege 2368 powershell.exe Token: SeRestorePrivilege 2368 powershell.exe Token: SeShutdownPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeSystemEnvironmentPrivilege 2368 powershell.exe Token: SeRemoteShutdownPrivilege 2368 powershell.exe Token: SeUndockPrivilege 2368 powershell.exe Token: SeManageVolumePrivilege 2368 powershell.exe Token: 33 2368 powershell.exe Token: 34 2368 powershell.exe Token: 35 2368 powershell.exe Token: 36 2368 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exesysblardsv.exe2360721663.exe2737513387.exesyslmgrsvc.exewinqlsdrvcs.exe255594601.exe195428378.exewupgrdsv.exedescription pid Process procid_target PID 1168 wrote to memory of 4804 1168 SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe 86 PID 1168 wrote to memory of 4804 1168 SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe 86 PID 1168 wrote to memory of 4804 1168 SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe 86 PID 4804 wrote to memory of 4636 4804 sysblardsv.exe 97 PID 4804 wrote to memory of 4636 4804 sysblardsv.exe 97 PID 4804 wrote to memory of 4636 4804 sysblardsv.exe 97 PID 4636 wrote to memory of 228 4636 2360721663.exe 98 PID 4636 wrote to memory of 228 4636 2360721663.exe 98 PID 4636 wrote to memory of 228 4636 2360721663.exe 98 PID 4804 wrote to memory of 2276 4804 sysblardsv.exe 99 PID 4804 wrote to memory of 2276 4804 sysblardsv.exe 99 PID 4804 wrote to memory of 2276 4804 sysblardsv.exe 99 PID 2276 wrote to memory of 3504 2276 2737513387.exe 100 PID 2276 wrote to memory of 3504 2276 2737513387.exe 100 PID 2276 wrote to memory of 3504 2276 2737513387.exe 100 PID 4804 wrote to memory of 5108 4804 sysblardsv.exe 101 PID 4804 wrote to memory of 5108 4804 sysblardsv.exe 101 PID 4804 wrote to memory of 5108 4804 sysblardsv.exe 101 PID 228 wrote to memory of 3192 228 syslmgrsvc.exe 102 PID 228 wrote to memory of 3192 228 syslmgrsvc.exe 102 PID 228 wrote to memory of 3192 228 syslmgrsvc.exe 102 PID 3504 wrote to memory of 404 3504 winqlsdrvcs.exe 104 PID 3504 wrote to memory of 404 3504 winqlsdrvcs.exe 104 PID 3504 wrote to memory of 404 3504 winqlsdrvcs.exe 104 PID 5108 wrote to memory of 4352 5108 255594601.exe 105 PID 5108 wrote to memory of 4352 5108 255594601.exe 105 PID 5108 wrote to memory of 4352 5108 255594601.exe 105 PID 4804 wrote to memory of 4544 4804 sysblardsv.exe 107 PID 4804 wrote to memory of 4544 4804 sysblardsv.exe 107 PID 4804 wrote to memory of 4544 4804 sysblardsv.exe 107 PID 228 wrote to memory of 1536 228 syslmgrsvc.exe 108 PID 228 wrote to memory of 1536 228 syslmgrsvc.exe 108 PID 228 wrote to memory of 1536 228 syslmgrsvc.exe 108 PID 3504 wrote to memory of 1824 3504 winqlsdrvcs.exe 109 PID 3504 wrote to memory of 1824 3504 winqlsdrvcs.exe 109 PID 3504 wrote to memory of 1824 3504 winqlsdrvcs.exe 109 PID 4804 wrote to memory of 2376 4804 sysblardsv.exe 110 PID 4804 wrote to memory of 2376 4804 sysblardsv.exe 110 PID 4804 wrote to memory of 2376 4804 sysblardsv.exe 110 PID 228 wrote to memory of 4596 228 syslmgrsvc.exe 111 PID 228 wrote to memory of 4596 228 syslmgrsvc.exe 111 PID 228 wrote to memory of 4596 228 syslmgrsvc.exe 111 PID 4544 wrote to memory of 2700 4544 195428378.exe 112 PID 4544 wrote to memory of 2700 4544 195428378.exe 112 PID 5108 wrote to memory of 3484 5108 255594601.exe 113 PID 5108 wrote to memory of 3484 5108 255594601.exe 113 PID 5108 wrote to memory of 3484 5108 255594601.exe 113 PID 3504 wrote to memory of 2924 3504 winqlsdrvcs.exe 114 PID 3504 wrote to memory of 2924 3504 winqlsdrvcs.exe 114 PID 3504 wrote to memory of 2924 3504 winqlsdrvcs.exe 114 PID 4804 wrote to memory of 3972 4804 sysblardsv.exe 120 PID 4804 wrote to memory of 3972 4804 sysblardsv.exe 120 PID 4804 wrote to memory of 3972 4804 sysblardsv.exe 120 PID 228 wrote to memory of 4656 228 syslmgrsvc.exe 121 PID 228 wrote to memory of 4656 228 syslmgrsvc.exe 121 PID 228 wrote to memory of 4656 228 syslmgrsvc.exe 121 PID 536 wrote to memory of 2464 536 wupgrdsv.exe 124 PID 228 wrote to memory of 4172 228 syslmgrsvc.exe 125 PID 228 wrote to memory of 4172 228 syslmgrsvc.exe 125 PID 228 wrote to memory of 4172 228 syslmgrsvc.exe 125 PID 5108 wrote to memory of 4992 5108 255594601.exe 126 PID 5108 wrote to memory of 4992 5108 255594601.exe 126 PID 5108 wrote to memory of 4992 5108 255594601.exe 126 PID 228 wrote to memory of 5100 228 syslmgrsvc.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\sysblardsv.exeC:\Windows\sysblardsv.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\2360721663.exeC:\Users\Admin\AppData\Local\Temp\2360721663.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\syslmgrsvc.exeC:\Windows\syslmgrsvc.exe5⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\140161133.exeC:\Users\Admin\AppData\Local\Temp\140161133.exe6⤵
- Executes dropped EXE
PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\1828628891.exeC:\Users\Admin\AppData\Local\Temp\1828628891.exe6⤵
- Executes dropped EXE
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\572220102.exeC:\Users\Admin\AppData\Local\Temp\572220102.exe6⤵
- Executes dropped EXE
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\2563311114.exeC:\Users\Admin\AppData\Local\Temp\2563311114.exe6⤵
- Executes dropped EXE
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\81145897.exeC:\Users\Admin\AppData\Local\Temp\81145897.exe6⤵
- Executes dropped EXE
PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\1181929981.exeC:\Users\Admin\AppData\Local\Temp\1181929981.exe6⤵
- Executes dropped EXE
PID:5100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2737513387.exeC:\Users\Admin\AppData\Local\Temp\2737513387.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\winqlsdrvcs.exeC:\Windows\winqlsdrvcs.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\3669427480.exeC:\Users\Admin\AppData\Local\Temp\3669427480.exe6⤵
- Executes dropped EXE
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\1589219664.exeC:\Users\Admin\AppData\Local\Temp\1589219664.exe6⤵
- Executes dropped EXE
PID:1824
-
-
C:\Users\Admin\AppData\Local\Temp\3318910725.exeC:\Users\Admin\AppData\Local\Temp\3318910725.exe6⤵
- Executes dropped EXE
PID:2924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\255594601.exeC:\Users\Admin\AppData\Local\Temp\255594601.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\195428378.exeC:\Users\Admin\AppData\Local\Temp\195428378.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\3270521601.exeC:\Users\Admin\AppData\Local\Temp\3270521601.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
-
C:\Users\Admin\AppData\Local\Temp\2186619390.exeC:\Users\Admin\AppData\Local\Temp\2186619390.exe4⤵
- Executes dropped EXE
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\2841510448.exeC:\Users\Admin\AppData\Local\Temp\2841510448.exe4⤵
- Executes dropped EXE
PID:3972
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵PID:2464
-
-
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fee026663fcb662152188784794028ee
SHA13c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA5127b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6
-
Filesize
1KB
MD52ac3c9ba89b8c2ef19c601ecebb82157
SHA1a239a4b11438c00e5ff89ebd4a804ede6a01935b
SHA2563c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e
SHA512b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432
-
Filesize
93KB
MD5d42f332184afc06d183db122eb16e7f7
SHA109666bad8ba602f1fc9b6df109f81d8df9209e8e
SHA2567c9759a8583dc85e94b2314931f713d665c8096c224cab2e162dc5045e26a3aa
SHA5129a27acc50818a656baf66cfb7b8f25faa856fb8a2cf944f95dbf4d0e67fbad01a96fccaffdd9c379318aee054a616cf0551d6625b7a7af3e4248ae387138d006
-
Filesize
14KB
MD5202339099ee228628d08ccd9b9dff02f
SHA1024f31908d986f3cca659da6c5f15c756e6b96eb
SHA256b3395083c95e4e25611cb0e78be88790ea95b6e09f6d23298785fc4a0c08ce15
SHA512dafc69ade061a15f67ba34b25204092b2ffa7e3a418b249b0fa7dc7bfa609d336b9146c4a6e31a01de92b5b00efbe0fa4e7a553cbbc0d9372d92288fbe634697
-
Filesize
10KB
MD5c8cf446ead193a3807472fbd294c5f23
SHA12162f28c919222f75ce5f52e4bb1155255ae5368
SHA256e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717
SHA512fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1
-
Filesize
8KB
MD511d2f27fb4f0c424ab696573e79db18c
SHA1d08ece21a657bfa6ea4d2db9b21fbb960d7f4331
SHA256dee9dca027009b7d2885ace7b968d2e9505a41b34756b08343338f8ef259e9be
SHA512a60de41caa6113430ab4ab944b800579f574f9b964c362f9c62bbfc1bd85dccd01b628809367e15cfe6baaba32c1255f8db07e434ff7bcf5e90d9b3d1f6a4cd4
-
Filesize
93KB
MD5a318cc45e79498b93e40d5e5b9b76be4
SHA14ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
SHA2564b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
SHA5123131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
-
Filesize
10KB
MD547340d40e7f73e62cf09ac60fd16ad68
SHA1effd38f6561155802d3e5090f5714589eae5ce6e
SHA256e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c
SHA5122d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08
-
Filesize
14KB
MD5686899bd841d603551a0429d09cb906c
SHA1c827bc460766c0c39fa9ad27918fb0f409379eb3
SHA256483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77
SHA512850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76
-
Filesize
11KB
MD5cafd277c4132f5d0f202e7ea07a27d5c
SHA172c8c16a94cce56a3e01d91bc1276dafc65b351d
SHA256e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e
SHA5127c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196
-
Filesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
Filesize
9KB
MD54c12165bc335a32cb559c828484a86a6
SHA1c2e78c57f15a1a3a190be415aac3d1e3209ce785
SHA2564831bd83c39ec9d898ccc1023858c81a03326b7c1c5dd8e24fdf9b2171707d1a
SHA512f44df78b6f16255496b2fa35e28c185011c2bebf47730a68fd1369abf87f390684a8786a167319319d14a12da3768c1edef8e36037cde339a1ffe8c62c3ea87b
-
Filesize
8KB
MD59b8a3fb66b93c24c52e9c68633b00f37
SHA12a9290e32d1582217eac32b977961ada243ada9a
SHA2568a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293
SHA512117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39
-
Filesize
10KB
MD54381ff636b5551a966838c23b152ab90
SHA1ff2ffca3a584ff300648ea138fa3331c711771e0
SHA2561e337ed3d9d65d6f6cb626dc086166fcae0a7dc0f81ee8163444856a19973408
SHA5121c851552b24c7cc96a405dd879b599fa0c53fea043f34fe69d24b0fb0269c7278bd475e34df6dd519cff9198209e005cf8636d2647f0b850ca0e3e22a6fa80cd
-
Filesize
20KB
MD535dc584405379993ceb29d5314d15d99
SHA12dbb31a27bf5cee87fd81a9431bb97ca6e07f9bc
SHA25622be0689856c5e26d3b742120386b3895a3749e9a2e76d3b356eed2ea2df5f94
SHA5129ab4a6027b8ecd8fef7af684286a95d15024fb130ac1c924db3345532a91da77e7b12200ea687ba0722756457e4266ee2afcfec4a24aae979e92e341c13dd377
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5e7e67fc629defd2239d9a211d8baba5a
SHA1e57fd613444e6652d5ed8a1dceb27ac86b38c98e
SHA256e45ad9c1a3acd20d6e7af2af8d508b210c6016c7c3bc4ce98a24b5166b0ba0b2
SHA51281590c6f5787bf6875398ed17cad25fb267fa825f50154b88a1897d840e756d2e38898edbc95541393ae6ac784d069b689827721782abbe16c962f70887b6f2d
-
Filesize
4KB
MD530f471fe3094aadde32dcb34ae503759
SHA1d7b56b7daa6dc516a279f78915baf91baeab7811
SHA25648bebc2d1930acf79c1365802cca5a687506225554a873deb85f4bc03b2e0823
SHA512d19f1364d6beb20651021cd06fb8f2fa24b12271e69312d98f00755b49f453e86d899e578732e58177084eb95e8d6a0aa16675cdb0f40d246a9a4ca5fdeacfc9
-
Filesize
104KB
MD59a24a00438a4d06d64fe4820061a1b45
SHA16e59989652dff276a6dfa0f287b6c468a2f04842
SHA25666944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
SHA51280e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629