Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
Resource
win7-20240221-en
General
-
Target
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
-
Size
104KB
-
MD5
9a24a00438a4d06d64fe4820061a1b45
-
SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842
-
SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
-
SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629
-
SSDEEP
1536:KlULHCIFmav82fkJMTZ0imzS6ussgExLXCxnbKG:wUDeO9TZH6SngYsbKG
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" syslmgrsvc.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2880 created 1192 2880 2615426320.exe 21 PID 2880 created 1192 2880 2615426320.exe 21 PID 2552 created 1192 2552 wupgrdsv.exe 21 PID 2552 created 1192 2552 wupgrdsv.exe 21 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winqlsdrvcs.exe -
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/2552-186-0x000000013F660000-0x000000013FBD6000-memory.dmp xmrig behavioral1/memory/2164-191-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-192-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-193-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-196-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-197-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-200-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-201-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2164-202-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
pid Process 1272 sysblardsv.exe 2428 1745425556.exe 2624 syslmgrsvc.exe 2460 972017496.exe 540 winqlsdrvcs.exe 2340 118785565.exe 1268 317868877.exe 1752 3060431781.exe 2700 Windows Security Upgrade Service.exe 2120 153030322.exe 2236 220032970.exe 2948 1438123061.exe 2844 2911621804.exe 2796 509024096.exe 2880 2615426320.exe 2936 Windows Security Upgrade Service.exe 1584 3383214491.exe 1724 1027913133.exe 2884 536515272.exe 2552 wupgrdsv.exe 2468 26095480.exe 2636 Windows Security Upgrade Service.exe 3012 2751829371.exe -
Loads dropped DLL 22 IoCs
pid Process 1272 sysblardsv.exe 1272 sysblardsv.exe 1272 sysblardsv.exe 2624 syslmgrsvc.exe 2624 syslmgrsvc.exe 1272 sysblardsv.exe 540 winqlsdrvcs.exe 1268 317868877.exe 2624 syslmgrsvc.exe 1272 sysblardsv.exe 540 winqlsdrvcs.exe 2624 syslmgrsvc.exe 1272 sysblardsv.exe 2236 220032970.exe 1268 317868877.exe 540 winqlsdrvcs.exe 2624 syslmgrsvc.exe 1272 sysblardsv.exe 1504 taskeng.exe 2624 syslmgrsvc.exe 1268 317868877.exe 2624 syslmgrsvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winqlsdrvcs.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winqlsdrvcs.exe" 972017496.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe" 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe" 1745425556.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2552 set thread context of 2164 2552 wupgrdsv.exe 67 -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\sysblardsv.exe 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe File opened for modification C:\Windows\sysblardsv.exe 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe File created C:\Windows\syslmgrsvc.exe 1745425556.exe File opened for modification C:\Windows\syslmgrsvc.exe 1745425556.exe File created C:\Windows\winqlsdrvcs.exe 972017496.exe File opened for modification C:\Windows\winqlsdrvcs.exe 972017496.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2656 schtasks.exe 560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2880 2615426320.exe 2880 2615426320.exe 1148 powershell.exe 2880 2615426320.exe 2880 2615426320.exe 2552 wupgrdsv.exe 2552 wupgrdsv.exe 324 powershell.exe 2552 wupgrdsv.exe 2552 wupgrdsv.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 2624 syslmgrsvc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeLockMemoryPrivilege 2164 notepad.exe Token: SeLockMemoryPrivilege 2164 notepad.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe 2164 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1272 2172 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe 28 PID 2172 wrote to memory of 1272 2172 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe 28 PID 2172 wrote to memory of 1272 2172 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe 28 PID 2172 wrote to memory of 1272 2172 66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe 28 PID 1272 wrote to memory of 2428 1272 sysblardsv.exe 31 PID 1272 wrote to memory of 2428 1272 sysblardsv.exe 31 PID 1272 wrote to memory of 2428 1272 sysblardsv.exe 31 PID 1272 wrote to memory of 2428 1272 sysblardsv.exe 31 PID 2428 wrote to memory of 2624 2428 1745425556.exe 32 PID 2428 wrote to memory of 2624 2428 1745425556.exe 32 PID 2428 wrote to memory of 2624 2428 1745425556.exe 32 PID 2428 wrote to memory of 2624 2428 1745425556.exe 32 PID 1272 wrote to memory of 2460 1272 sysblardsv.exe 33 PID 1272 wrote to memory of 2460 1272 sysblardsv.exe 33 PID 1272 wrote to memory of 2460 1272 sysblardsv.exe 33 PID 1272 wrote to memory of 2460 1272 sysblardsv.exe 33 PID 2460 wrote to memory of 540 2460 972017496.exe 35 PID 2460 wrote to memory of 540 2460 972017496.exe 35 PID 2460 wrote to memory of 540 2460 972017496.exe 35 PID 2460 wrote to memory of 540 2460 972017496.exe 35 PID 2624 wrote to memory of 2340 2624 syslmgrsvc.exe 38 PID 2624 wrote to memory of 2340 2624 syslmgrsvc.exe 38 PID 2624 wrote to memory of 2340 2624 syslmgrsvc.exe 38 PID 2624 wrote to memory of 2340 2624 syslmgrsvc.exe 38 PID 1272 wrote to memory of 1268 1272 sysblardsv.exe 39 PID 1272 wrote to memory of 1268 1272 sysblardsv.exe 39 PID 1272 wrote to memory of 1268 1272 sysblardsv.exe 39 PID 1272 wrote to memory of 1268 1272 sysblardsv.exe 39 PID 540 wrote to memory of 1752 540 winqlsdrvcs.exe 41 PID 540 wrote to memory of 1752 540 winqlsdrvcs.exe 41 PID 540 wrote to memory of 1752 540 winqlsdrvcs.exe 41 PID 540 wrote to memory of 1752 540 winqlsdrvcs.exe 41 PID 1268 wrote to memory of 2700 1268 317868877.exe 42 PID 1268 wrote to memory of 2700 1268 317868877.exe 42 PID 1268 wrote to memory of 2700 1268 317868877.exe 42 PID 1268 wrote to memory of 2700 1268 317868877.exe 42 PID 2624 wrote to memory of 2120 2624 syslmgrsvc.exe 43 PID 2624 wrote to memory of 2120 2624 syslmgrsvc.exe 43 PID 2624 wrote to memory of 2120 2624 syslmgrsvc.exe 43 PID 2624 wrote to memory of 2120 2624 syslmgrsvc.exe 43 PID 1272 wrote to memory of 2236 1272 sysblardsv.exe 44 PID 1272 wrote to memory of 2236 1272 sysblardsv.exe 44 PID 1272 wrote to memory of 2236 1272 sysblardsv.exe 44 PID 1272 wrote to memory of 2236 1272 sysblardsv.exe 44 PID 540 wrote to memory of 2948 540 winqlsdrvcs.exe 46 PID 540 wrote to memory of 2948 540 winqlsdrvcs.exe 46 PID 540 wrote to memory of 2948 540 winqlsdrvcs.exe 46 PID 540 wrote to memory of 2948 540 winqlsdrvcs.exe 46 PID 2624 wrote to memory of 2844 2624 syslmgrsvc.exe 48 PID 2624 wrote to memory of 2844 2624 syslmgrsvc.exe 48 PID 2624 wrote to memory of 2844 2624 syslmgrsvc.exe 48 PID 2624 wrote to memory of 2844 2624 syslmgrsvc.exe 48 PID 1272 wrote to memory of 2796 1272 sysblardsv.exe 49 PID 1272 wrote to memory of 2796 1272 sysblardsv.exe 49 PID 1272 wrote to memory of 2796 1272 sysblardsv.exe 49 PID 1272 wrote to memory of 2796 1272 sysblardsv.exe 49 PID 2236 wrote to memory of 2880 2236 220032970.exe 50 PID 2236 wrote to memory of 2880 2236 220032970.exe 50 PID 2236 wrote to memory of 2880 2236 220032970.exe 50 PID 2236 wrote to memory of 2880 2236 220032970.exe 50 PID 1268 wrote to memory of 2936 1268 317868877.exe 51 PID 1268 wrote to memory of 2936 1268 317868877.exe 51 PID 1268 wrote to memory of 2936 1268 317868877.exe 51 PID 1268 wrote to memory of 2936 1268 317868877.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe"C:\Users\Admin\AppData\Local\Temp\66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\sysblardsv.exeC:\Windows\sysblardsv.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\1745425556.exeC:\Users\Admin\AppData\Local\Temp\1745425556.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\syslmgrsvc.exeC:\Windows\syslmgrsvc.exe5⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\118785565.exeC:\Users\Admin\AppData\Local\Temp\118785565.exe6⤵
- Executes dropped EXE
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\153030322.exeC:\Users\Admin\AppData\Local\Temp\153030322.exe6⤵
- Executes dropped EXE
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\2911621804.exeC:\Users\Admin\AppData\Local\Temp\2911621804.exe6⤵
- Executes dropped EXE
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\1027913133.exeC:\Users\Admin\AppData\Local\Temp\1027913133.exe6⤵
- Executes dropped EXE
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\26095480.exeC:\Users\Admin\AppData\Local\Temp\26095480.exe6⤵
- Executes dropped EXE
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\2751829371.exeC:\Users\Admin\AppData\Local\Temp\2751829371.exe6⤵
- Executes dropped EXE
PID:3012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\972017496.exeC:\Users\Admin\AppData\Local\Temp\972017496.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\winqlsdrvcs.exeC:\Windows\winqlsdrvcs.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\3060431781.exeC:\Users\Admin\AppData\Local\Temp\3060431781.exe6⤵
- Executes dropped EXE
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\1438123061.exeC:\Users\Admin\AppData\Local\Temp\1438123061.exe6⤵
- Executes dropped EXE
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\3383214491.exeC:\Users\Admin\AppData\Local\Temp\3383214491.exe6⤵
- Executes dropped EXE
PID:1584
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\317868877.exeC:\Users\Admin\AppData\Local\Temp\317868877.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Users\Admin\AppData\Local\Temp\220032970.exeC:\Users\Admin\AppData\Local\Temp\220032970.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\2615426320.exeC:\Users\Admin\AppData\Local\Temp\2615426320.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
-
C:\Users\Admin\AppData\Local\Temp\509024096.exeC:\Users\Admin\AppData\Local\Temp\509024096.exe4⤵
- Executes dropped EXE
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\536515272.exeC:\Users\Admin\AppData\Local\Temp\536515272.exe4⤵
- Executes dropped EXE
PID:2884
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:2656
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:560
-
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C7A4CC25-066E-498A-BC76-D807B042730F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:1504 -
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD54c12165bc335a32cb559c828484a86a6
SHA1c2e78c57f15a1a3a190be415aac3d1e3209ce785
SHA2564831bd83c39ec9d898ccc1023858c81a03326b7c1c5dd8e24fdf9b2171707d1a
SHA512f44df78b6f16255496b2fa35e28c185011c2bebf47730a68fd1369abf87f390684a8786a167319319d14a12da3768c1edef8e36037cde339a1ffe8c62c3ea87b
-
Filesize
8KB
MD59b8a3fb66b93c24c52e9c68633b00f37
SHA12a9290e32d1582217eac32b977961ada243ada9a
SHA2568a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293
SHA512117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39
-
Filesize
11KB
MD5cafd277c4132f5d0f202e7ea07a27d5c
SHA172c8c16a94cce56a3e01d91bc1276dafc65b351d
SHA256e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e
SHA5127c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bf66d6b7dd626bce38d8fabe4451a440
SHA1916a82a7da2491bb9a902056d1819edebae0fadb
SHA256c88f58853a0de61db535931d3c57f82233939181d9c7751b885e0746ace55310
SHA5124993ca263d3735af77667e74e636f3df36e3c10cd668d34f03c38fe26f29f78fd68bd43a99e5f3e1035a9dd0d6b817032fb39a1b094db2c7bad6c3c84f3b8ea5
-
Filesize
4KB
MD5def8a24f7c6410eba94010f328eb3bb9
SHA12cca73524ce2d73373dbe4f58de4e8ce82bf3124
SHA256bc3a99b25fcea60dbc2f5e0377fe6965cef34b8fe645bc210ce4b3f9f01874ab
SHA5125cb20a1c01d09cc5cef3e1a18b0ee93bbb08d93812b1eba696b48210557010677efa5628cdf29b355c567c2cb62add409fba3c19129dba6dc3932ba1fcd944ca
-
Filesize
4KB
MD52d2685f1951b8e64beaa9895f7f325b7
SHA1d6fafbb8e5ea4f39716de272505d8c79fc08cb5a
SHA2565a6846a31c8018803efabd524ac38823f0bf0dd9648bf829ddcd3af220e41167
SHA512e2190de15e732695bbc928b30812ad3f2946f563941913fa537f787fc5c42d173af11b3f660962f0b0d00e21b7e95d51eee6c73b125117dabba64c4bacba81b9
-
Filesize
104KB
MD59a24a00438a4d06d64fe4820061a1b45
SHA16e59989652dff276a6dfa0f287b6c468a2f04842
SHA25666944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
SHA51280e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629
-
Filesize
93KB
MD5a318cc45e79498b93e40d5e5b9b76be4
SHA14ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
SHA2564b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
SHA5123131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
-
Filesize
10KB
MD5c8cf446ead193a3807472fbd294c5f23
SHA12162f28c919222f75ce5f52e4bb1155255ae5368
SHA256e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717
SHA512fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1
-
Filesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
Filesize
10KB
MD547340d40e7f73e62cf09ac60fd16ad68
SHA1effd38f6561155802d3e5090f5714589eae5ce6e
SHA256e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c
SHA5122d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08
-
Filesize
8KB
MD511d2f27fb4f0c424ab696573e79db18c
SHA1d08ece21a657bfa6ea4d2db9b21fbb960d7f4331
SHA256dee9dca027009b7d2885ace7b968d2e9505a41b34756b08343338f8ef259e9be
SHA512a60de41caa6113430ab4ab944b800579f574f9b964c362f9c62bbfc1bd85dccd01b628809367e15cfe6baaba32c1255f8db07e434ff7bcf5e90d9b3d1f6a4cd4
-
Filesize
14KB
MD5686899bd841d603551a0429d09cb906c
SHA1c827bc460766c0c39fa9ad27918fb0f409379eb3
SHA256483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77
SHA512850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76
-
Filesize
20KB
MD535dc584405379993ceb29d5314d15d99
SHA12dbb31a27bf5cee87fd81a9431bb97ca6e07f9bc
SHA25622be0689856c5e26d3b742120386b3895a3749e9a2e76d3b356eed2ea2df5f94
SHA5129ab4a6027b8ecd8fef7af684286a95d15024fb130ac1c924db3345532a91da77e7b12200ea687ba0722756457e4266ee2afcfec4a24aae979e92e341c13dd377