Analysis Overview
SHA256
f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123
Threat Level: Shows suspicious behavior
The file f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:40
Reported
2024-06-03 05:43
Platform
win7-20240419-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "\"C:\\Users\\Admin\\AppData\\Roaming\\VmmGdw\\lpksetup.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\6224\Netplwiz.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\6224\Netplwiz.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\MqtAy46.cmd" | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 2704 | N/A | N/A | C:\Windows\system32\LocationNotifications.exe |
| PID 1204 wrote to memory of 2704 | N/A | N/A | C:\Windows\system32\LocationNotifications.exe |
| PID 1204 wrote to memory of 2704 | N/A | N/A | C:\Windows\system32\LocationNotifications.exe |
| PID 1204 wrote to memory of 2528 | N/A | N/A | C:\Windows\system32\RunLegacyCPLElevated.exe |
| PID 1204 wrote to memory of 2528 | N/A | N/A | C:\Windows\system32\RunLegacyCPLElevated.exe |
| PID 1204 wrote to memory of 2528 | N/A | N/A | C:\Windows\system32\RunLegacyCPLElevated.exe |
| PID 1204 wrote to memory of 2524 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1204 wrote to memory of 2524 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1204 wrote to memory of 2524 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1204 wrote to memory of 2548 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2548 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2548 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2224 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2224 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2224 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 2224 wrote to memory of 2300 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2224 wrote to memory of 2300 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2224 wrote to memory of 2300 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1204 wrote to memory of 2236 | N/A | N/A | C:\Windows\system32\CompMgmtLauncher.exe |
| PID 1204 wrote to memory of 2236 | N/A | N/A | C:\Windows\system32\CompMgmtLauncher.exe |
| PID 1204 wrote to memory of 2236 | N/A | N/A | C:\Windows\system32\CompMgmtLauncher.exe |
| PID 1204 wrote to memory of 352 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1204 wrote to memory of 352 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1204 wrote to memory of 352 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1204 wrote to memory of 2744 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2744 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2744 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1204 wrote to memory of 2896 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1204 wrote to memory of 2896 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1204 wrote to memory of 2896 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 2896 wrote to memory of 2168 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2896 wrote to memory of 2168 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2896 wrote to memory of 2168 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2168 wrote to memory of 2180 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2168 wrote to memory of 2180 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2168 wrote to memory of 2180 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123.dll,#1
C:\Windows\system32\LocationNotifications.exe
C:\Windows\system32\LocationNotifications.exe
C:\Windows\system32\RunLegacyCPLElevated.exe
C:\Windows\system32\RunLegacyCPLElevated.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\7wJFHp.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
C:\Windows\system32\CompMgmtLauncher.exe
C:\Windows\system32\CompMgmtLauncher.exe
C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\QcY.cmd
C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\MqtAy46.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\6224\Netplwiz.exe" /RL highest
Network
Files
memory/1936-0-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1936-2-0x0000000000200000-0x0000000000207000-memory.dmp
memory/1204-3-0x0000000077566000-0x0000000077567000-memory.dmp
memory/1204-4-0x0000000002610000-0x0000000002611000-memory.dmp
memory/1936-6-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-14-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-13-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-12-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-15-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-11-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-10-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-9-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-16-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-8-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-7-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-17-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-18-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-27-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-35-0x00000000025F0000-0x00000000025F7000-memory.dmp
memory/1204-34-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-26-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-25-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-24-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-23-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-22-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-21-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-20-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-19-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-39-0x0000000077771000-0x0000000077772000-memory.dmp
memory/1204-45-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-47-0x00000000778D0000-0x00000000778D2000-memory.dmp
memory/1204-50-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1204-51-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7wJFHp.cmd
| MD5 | c349f007e391cc23e2d626c2d61c369f |
| SHA1 | 4a903a0f6a1208346cfa70c19feb9f8df700a176 |
| SHA256 | ad2c975bf830cb6b21296f4c53fbf606fa47842f2afa2fc3dfcfd8e0f5719b70 |
| SHA512 | 94910124d79ed9b1b81678cbba45f887f2a90a3537e370ee6aa3da6e958a1b24e1dec930a582d17b54ef8e8c175545eb3d107a803ea01d414d77cd9eb373df08 |
C:\Users\Admin\AppData\Local\Temp\2dy2B26.tmp
| MD5 | cbb581b640a949a06d69737474f84fa5 |
| SHA1 | c88fa2959e916684313fceaaa4f11ceb3f00f9c8 |
| SHA256 | 1e6eb192f9419523f15760fa3597b69f6c8c9ff0aad6c3f991daf90b910a9012 |
| SHA512 | 0da9889677fcef05a09f0031785299e68ceb5fd8fb3f8f5e379312e78992364edc280c547ed5d137e924693fffc43f5a660f7553b684b38053b6e309de621020 |
C:\Users\Admin\AppData\Roaming\VmmGdw\lpksetup.exe
| MD5 | 50d28f3f8b7c17056520c80a29efe17c |
| SHA1 | 1b1e62be0a0bdc9aec2e91842c35381297d8f01e |
| SHA256 | 71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f |
| SHA512 | 92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861 |
C:\Users\Admin\AppData\Local\Temp\QcY.cmd
| MD5 | 4516fcbb6d7c53886ef5f7b72bcb4841 |
| SHA1 | a3efa1554d71b1eb4aee1ff817a58b7445a6c377 |
| SHA256 | c429218f573bf89d8bbb15f6319293f469dd785dbc3a9e97c73334c0bd69655b |
| SHA512 | 47d4a75e5bff86f190f4a72e6465aa29ddd2dfe60d1efbbc6ec309e0fd37351c3ea4f90ee3adb46f1603655b268ef6db9430007fa80c15c74bf7b32a45e9abd5 |
C:\Users\Admin\AppData\Local\Temp\EFK2C7E.tmp
| MD5 | a1d499b485905e4d8cbd83e30c6d16a8 |
| SHA1 | 27049ccc4ff9a425c17de85d1ad7e6f155d90630 |
| SHA256 | e7f587fe7ae2b081edf3bb5b24779af9706fb9ec1087b39da5c9d74f04c30c25 |
| SHA512 | 634b72ec5c7cc0c5f993140aeb59b63fe0fc78c541756f660d2721ec075bce97dd0391caf79ead547c94268b06c2651af328c940ffc76d1f7334daa9c351089a |
C:\Users\Admin\AppData\Local\Temp\MqtAy46.cmd
| MD5 | 0899e5bda26a9679b9297bc08c4c8f12 |
| SHA1 | 1841f535435137bd346e7e6215b5c40cfb3b7765 |
| SHA256 | 8eb9efede90b0b22e0ded4e0a87d52ab9059013521f63e1d32b178770450401b |
| SHA512 | 1f7bd7948f49e625a5f89e5e43dfd6876ac5f670fda36c2ec0653a7e3ae9a16c6488f5d10c207f725a794db4f3bcd5c8c234a041a894c690418445dd86e18bf2 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mwyjnbrrs.lnk
| MD5 | 8a6024338575b710fffbabaea531cf45 |
| SHA1 | 6a32f1ee83068682bcc950ffa074cf0c0e720c9b |
| SHA256 | 765ed973550e4c415ab1169dacdc656e60c0053d933c0a7c323afca8d49e83a2 |
| SHA512 | d96c18b1fe442791bc6195b83b9cadf4140c13503bf5fc2ac94f42baef0d8e091ad2f20bc40324211c14671da96f28f104eb1402b9ea49fa591f7f6cab49d67d |
memory/1204-100-0x0000000077566000-0x0000000077567000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:40
Reported
2024-06-03 05:43
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "\"C:\\Users\\Admin\\AppData\\Roaming\\maNgzN\\msdt.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\7786\Narrator.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\7786\Narrator.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\NIzJXm.cmd" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command\DelegateExecute | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3460 wrote to memory of 3400 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 3460 wrote to memory of 3400 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 3460 wrote to memory of 1060 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3460 wrote to memory of 1060 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3460 wrote to memory of 1124 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3460 wrote to memory of 1124 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1124 wrote to memory of 1288 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1124 wrote to memory of 1288 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3460 wrote to memory of 1872 | N/A | N/A | C:\Windows\system32\Narrator.exe |
| PID 3460 wrote to memory of 1872 | N/A | N/A | C:\Windows\system32\Narrator.exe |
| PID 3460 wrote to memory of 2272 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3460 wrote to memory of 2272 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3460 wrote to memory of 3012 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 3460 wrote to memory of 3012 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 3012 wrote to memory of 2624 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 3012 wrote to memory of 2624 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 2624 wrote to memory of 2544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2624 wrote to memory of 2544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123.dll,#1
C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\hJgcfMY.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{35f320fa-3d67-9dff-e346-2c697e2fb343}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{35f320fa-3d67-9dff-e346-2c697e2fb343}"
C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\q0a.cmd
C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\NIzJXm.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Jactb" /SC minute /MO 60 /TR "C:\Windows\system32\7786\Narrator.exe" /RL highest
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/4384-0-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/4384-2-0x0000015599840000-0x0000015599847000-memory.dmp
memory/3460-6-0x00007FFB4077A000-0x00007FFB4077B000-memory.dmp
memory/4384-5-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-3-0x00000000032E0000-0x00000000032E1000-memory.dmp
memory/3460-26-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\X1685F.tmp
| MD5 | a79aa64d301877c47c596fe5cd52a609 |
| SHA1 | fdea3202ab65b711296cda5d69f0a13b687b8ce6 |
| SHA256 | d3b7571f1d53e858c47f2d900fd24ef7b84dde5564c86549333cdcccaaab4b56 |
| SHA512 | b0b33466de2b0cb3558ef202052842778d090d4e2ef730400d57f9eadb4ae6a05dae0c443e7898980ea86a7d3f0857e48158ca6da067b445d004b9adf7f8273f |
memory/3460-55-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\maNgzN\msdt.exe
| MD5 | 992c3f0cc8180f2f51156671e027ae75 |
| SHA1 | 942ec8c2ccfcacd75a1cd86cbe8873aee5115e29 |
| SHA256 | 6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f |
| SHA512 | 1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf |
C:\Users\Admin\AppData\Local\Temp\hJgcfMY.cmd
| MD5 | 49db0fc2cf50ea906754cebdf22c94cd |
| SHA1 | c406373a93abc9e8f5ca4bf549bedb9b6e6afce8 |
| SHA256 | 5868be921c3986481e9c9f313492ed9c27091a1432b078f36e425f9bfe7057e4 |
| SHA512 | 722a75cd72184213013d26e3ed3177c641f1cb2b9f6c63b7b99f211fb661d9079a536e1f2b382c818b64681f087eb1bd44c13432ff25659943f732eda19491e1 |
memory/3460-48-0x00007FFB40B60000-0x00007FFB40B70000-memory.dmp
memory/3460-47-0x0000000001260000-0x0000000001267000-memory.dmp
memory/3460-34-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-27-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-25-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-24-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-23-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-22-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-21-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-18-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-20-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BuN6C96.tmp
| MD5 | 889e6f11ce581c93942d45a6025ae09e |
| SHA1 | bc8614c8cb346b53f663bad5e702bd4e1c616f10 |
| SHA256 | 88424ef21db2c0a1690f2682937db6863a97558f1c1113c0a0f9b6dbeffc0c37 |
| SHA512 | 5aadb8f48899c64670d968ce78d456e0fcc941f291e7be1354f8855d127f7cf3f562c7fb825b01a5aa561d69ed0dba6670d7293cefce1483bbaa343b1920d662 |
C:\Users\Admin\AppData\Local\Temp\q0a.cmd
| MD5 | 3e24ed3b80af5d6fb758c5d1c601bfee |
| SHA1 | 75a7fab7d4512e2047e0922813ea7cce50214914 |
| SHA256 | f0ad91d5acfa6dfb1a38cf54e396e772fd147a3bbda31fa6f4a72749342b457e |
| SHA512 | d409961883ad16a38bbd988baf3c4bab010bda4000fae7cfd8bde7b3f9f65478bcf3afab18217b131c11bb01b16334136cea0c1cff2adb42624329a6ed97b49c |
C:\Users\Admin\AppData\Local\Temp\NIzJXm.cmd
| MD5 | 5d90258de0a0de4b6729459a0fc78014 |
| SHA1 | 2df34635db3692f970033e878fecf03410228350 |
| SHA256 | 8e5e3b8a2843f85130e9afe383e38936218b3a154d42e328edd52c9cb156600c |
| SHA512 | ee129c1118c714cc9faa53932c67aa236597f7a4311802df80a5c156753320fcd9ff4d58b60cdcc443c9f314c1f4b961c131c3e0fcf92adaee1ae3fdbfee879d |
memory/3460-44-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-19-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-17-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-12-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-16-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-15-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-14-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-13-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-8-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-7-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-11-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-9-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3460-10-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eeaxmqtu.lnk
| MD5 | b098bcf57c2d99718f8e6fe8cdfefbb6 |
| SHA1 | 720041580f52141e984f2ee9e93ac3b6167831b6 |
| SHA256 | b8448ddd57e0332577e3e205b4a034404515f06340d9662b44cea0263f48fa94 |
| SHA512 | 7f5b836376e0d3d858e8590ee8e0b510bce92b7522e870eeaabfecba89c08f9aefafbdb4178448c711386839707ddf151135e29b462190f073150a1a36ae2676 |