Analysis
-
max time kernel
300s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 15:02
Behavioral task
behavioral1
Sample
336488519.exe
Resource
win7-20240220-en
General
-
Target
336488519.exe
-
Size
93KB
-
MD5
a318cc45e79498b93e40d5e5b9b76be4
-
SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
-
SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
-
SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
-
SSDEEP
1536:zL0IGzbFmav82I3dTCPu0864k/+ELInCSA+HK:30poOPPuRxk/jr+HK
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
syslmgrsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" syslmgrsvc.exe -
Phorphiex payload 1 IoCs
Processes:
resource yara_rule C:\Windows\syslmgrsvc.exe family_phorphiex -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
3409239910.exewupgrdsv.exedescription pid process target process PID 1124 created 1156 1124 3409239910.exe Explorer.EXE PID 1124 created 1156 1124 3409239910.exe Explorer.EXE PID 1904 created 1156 1904 wupgrdsv.exe Explorer.EXE PID 1904 created 1156 1904 wupgrdsv.exe Explorer.EXE -
Processes:
syslmgrsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe -
XMRig Miner payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1904-90-0x000000013F940000-0x000000013FEB6000-memory.dmp xmrig behavioral1/memory/1332-96-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-97-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-98-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-100-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-101-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-102-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-103-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-104-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-119-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-121-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1332-122-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
syslmgrsvc.exe518427069.exe2351722770.exeWindows Security Upgrade Service.exe2640713896.exe3409239910.exeWindows Security Upgrade Service.exewupgrdsv.exeWindows Security Upgrade Service.exe2081528148.exepid process 2580 syslmgrsvc.exe 2448 518427069.exe 1364 2351722770.exe 1680 Windows Security Upgrade Service.exe 384 2640713896.exe 1124 3409239910.exe 1944 Windows Security Upgrade Service.exe 1904 wupgrdsv.exe 2928 Windows Security Upgrade Service.exe 1020 2081528148.exe -
Loads dropped DLL 10 IoCs
Processes:
syslmgrsvc.exe2351722770.exe2640713896.exetaskeng.exepid process 2580 syslmgrsvc.exe 2580 syslmgrsvc.exe 2580 syslmgrsvc.exe 1364 2351722770.exe 2580 syslmgrsvc.exe 384 2640713896.exe 1364 2351722770.exe 1296 taskeng.exe 1364 2351722770.exe 2580 syslmgrsvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
syslmgrsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
336488519.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe" 336488519.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wupgrdsv.exedescription pid process target process PID 1904 set thread context of 1332 1904 wupgrdsv.exe notepad.exe -
Drops file in Windows directory 2 IoCs
Processes:
336488519.exedescription ioc process File opened for modification C:\Windows\syslmgrsvc.exe 336488519.exe File created C:\Windows\syslmgrsvc.exe 336488519.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1896 schtasks.exe 1976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
taskmgr.exe3409239910.exepowershell.exewupgrdsv.exepowershell.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1124 3409239910.exe 1124 3409239910.exe 1624 powershell.exe 1124 3409239910.exe 1124 3409239910.exe 1904 wupgrdsv.exe 1904 wupgrdsv.exe 2268 powershell.exe 1904 wupgrdsv.exe 1904 wupgrdsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exepowershell.exepowershell.exenotepad.exedescription pid process Token: SeDebugPrivilege 1560 taskmgr.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeLockMemoryPrivilege 1332 notepad.exe Token: SeLockMemoryPrivilege 1332 notepad.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exenotepad.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exenotepad.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe 1332 notepad.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
336488519.exesyslmgrsvc.exe2351722770.exe2640713896.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exedescription pid process target process PID 2480 wrote to memory of 2580 2480 336488519.exe syslmgrsvc.exe PID 2480 wrote to memory of 2580 2480 336488519.exe syslmgrsvc.exe PID 2480 wrote to memory of 2580 2480 336488519.exe syslmgrsvc.exe PID 2480 wrote to memory of 2580 2480 336488519.exe syslmgrsvc.exe PID 2580 wrote to memory of 2448 2580 syslmgrsvc.exe 518427069.exe PID 2580 wrote to memory of 2448 2580 syslmgrsvc.exe 518427069.exe PID 2580 wrote to memory of 2448 2580 syslmgrsvc.exe 518427069.exe PID 2580 wrote to memory of 2448 2580 syslmgrsvc.exe 518427069.exe PID 2580 wrote to memory of 1364 2580 syslmgrsvc.exe 2351722770.exe PID 2580 wrote to memory of 1364 2580 syslmgrsvc.exe 2351722770.exe PID 2580 wrote to memory of 1364 2580 syslmgrsvc.exe 2351722770.exe PID 2580 wrote to memory of 1364 2580 syslmgrsvc.exe 2351722770.exe PID 1364 wrote to memory of 1680 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 1680 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 1680 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 1680 1364 2351722770.exe Windows Security Upgrade Service.exe PID 2580 wrote to memory of 384 2580 syslmgrsvc.exe 2640713896.exe PID 2580 wrote to memory of 384 2580 syslmgrsvc.exe 2640713896.exe PID 2580 wrote to memory of 384 2580 syslmgrsvc.exe 2640713896.exe PID 2580 wrote to memory of 384 2580 syslmgrsvc.exe 2640713896.exe PID 384 wrote to memory of 1124 384 2640713896.exe 3409239910.exe PID 384 wrote to memory of 1124 384 2640713896.exe 3409239910.exe PID 384 wrote to memory of 1124 384 2640713896.exe 3409239910.exe PID 384 wrote to memory of 1124 384 2640713896.exe 3409239910.exe PID 1364 wrote to memory of 1944 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 1944 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 1944 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 1944 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1624 wrote to memory of 1896 1624 powershell.exe schtasks.exe PID 1624 wrote to memory of 1896 1624 powershell.exe schtasks.exe PID 1624 wrote to memory of 1896 1624 powershell.exe schtasks.exe PID 1296 wrote to memory of 1904 1296 taskeng.exe wupgrdsv.exe PID 1296 wrote to memory of 1904 1296 taskeng.exe wupgrdsv.exe PID 1296 wrote to memory of 1904 1296 taskeng.exe wupgrdsv.exe PID 2268 wrote to memory of 1976 2268 powershell.exe schtasks.exe PID 2268 wrote to memory of 1976 2268 powershell.exe schtasks.exe PID 2268 wrote to memory of 1976 2268 powershell.exe schtasks.exe PID 1904 wrote to memory of 1332 1904 wupgrdsv.exe notepad.exe PID 1364 wrote to memory of 2928 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 2928 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 2928 1364 2351722770.exe Windows Security Upgrade Service.exe PID 1364 wrote to memory of 2928 1364 2351722770.exe Windows Security Upgrade Service.exe PID 2580 wrote to memory of 1020 2580 syslmgrsvc.exe 2081528148.exe PID 2580 wrote to memory of 1020 2580 syslmgrsvc.exe 2081528148.exe PID 2580 wrote to memory of 1020 2580 syslmgrsvc.exe 2081528148.exe PID 2580 wrote to memory of 1020 2580 syslmgrsvc.exe 2081528148.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\336488519.exe"C:\Users\Admin\AppData\Local\Temp\336488519.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\syslmgrsvc.exeC:\Windows\syslmgrsvc.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\518427069.exeC:\Users\Admin\AppData\Local\Temp\518427069.exe4⤵
- Executes dropped EXE
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\2351722770.exeC:\Users\Admin\AppData\Local\Temp\2351722770.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\2640713896.exeC:\Users\Admin\AppData\Local\Temp\2640713896.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\3409239910.exeC:\Users\Admin\AppData\Local\Temp\3409239910.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\2081528148.exeC:\Users\Admin\AppData\Local\Temp\2081528148.exe4⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:1896 -
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵PID:1216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"3⤵
- Creates scheduled task(s)
PID:1976 -
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332
-
C:\Windows\system32\taskeng.exetaskeng.exe {50272B9C-3C44-46ED-8DC5-D551F8FD4E65} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1687828117.exeFilesize
80KB
MD52ff2bb06682812eeb76628bfbe817fbb
SHA118e86614d0f4904e1fe97198ccda34b25aab7dae
SHA256985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d
SHA5125cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440
-
C:\Users\Admin\AppData\Local\Temp\2081528148.exeFilesize
11KB
MD5cafd277c4132f5d0f202e7ea07a27d5c
SHA172c8c16a94cce56a3e01d91bc1276dafc65b351d
SHA256e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e
SHA5127c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196
-
C:\Users\Admin\AppData\Local\Temp\3409239910.exeFilesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
C:\Users\Admin\AppData\Local\Temp\901214061.exeFilesize
86KB
MD5fe1e93f12cca3f7c0c897ef2084e1778
SHA1fb588491ddad8b24ea555a6a2727e76cec1fade3
SHA2562ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f
SHA51236e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD568f1bd5a929d28f0f73b696e54dc846b
SHA111228d046257ac20f19e678ec0f7e893b5b31cff
SHA25629d796494f581bd2c38c947492d3cbb5040ab61b52a7c3b8c2997601041fd76a
SHA51283a12e5cb4c9df3dddd8aac2b6e9908f787bf81554461b567d569cfe352c78916cd39a7783e75dd43a172f513863cf956a6cb2bd67c2de4e8a952006b6216d53
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD5330086c407958b0a0e8ff14aea1c58d5
SHA19b2623bac981a60780fd6dfc76e220d6df946bac
SHA256295480d5d31c501dfaa88d0a2a1c5872821ac1e6e103abd5a3def21ea0b17191
SHA51213fa7cbb5974b640fa6af10571beed68d96d263a63bbfc29ff1e442968b4205526fd60e886322b1dc2951a836ac0d04d1cf9c6cdc8d2aeb7f6f607980df8982f
-
C:\Windows\syslmgrsvc.exeFilesize
93KB
MD5a318cc45e79498b93e40d5e5b9b76be4
SHA14ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
SHA2564b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
SHA5123131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
-
\Users\Admin\AppData\Local\Temp\2351722770.exeFilesize
10KB
MD547340d40e7f73e62cf09ac60fd16ad68
SHA1effd38f6561155802d3e5090f5714589eae5ce6e
SHA256e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c
SHA5122d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08
-
\Users\Admin\AppData\Local\Temp\2640713896.exeFilesize
10KB
MD5c8cf446ead193a3807472fbd294c5f23
SHA12162f28c919222f75ce5f52e4bb1155255ae5368
SHA256e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717
SHA512fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1
-
\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exeFilesize
20KB
MD5de36bc2bfc3c67820ebd75c912fadc3d
SHA138bd51e1052ae5bede5293827e87d6f494b204c8
SHA2562a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16
SHA512efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef
-
memory/1124-77-0x000000013F710000-0x000000013FC86000-memory.dmpFilesize
5.5MB
-
memory/1332-91-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/1332-101-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-122-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-121-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-119-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-96-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-97-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-98-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-100-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-104-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-102-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1332-103-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/1560-25-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1560-24-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1624-73-0x000000001B650000-0x000000001B932000-memory.dmpFilesize
2.9MB
-
memory/1624-74-0x0000000001E30000-0x0000000001E38000-memory.dmpFilesize
32KB
-
memory/1904-90-0x000000013F940000-0x000000013FEB6000-memory.dmpFilesize
5.5MB
-
memory/2268-86-0x000000001B600000-0x000000001B8E2000-memory.dmpFilesize
2.9MB
-
memory/2268-87-0x0000000001EA0000-0x0000000001EA8000-memory.dmpFilesize
32KB