amadey | 9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
04-06-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
Size

1.8MB
MD5

2d35ffff9a6d3a17eb3f27091669ded5
SHA1

9aee343d728b7d8958bbbc66cfc65d24cdf5e040
SHA256

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433
SHA512

79af3e7ad577ad4a4d59cdc733ff1c22180ca258a17cc8a85886c81adb99fad5c815842acd8281776f04a1ec410b566392d62dd7d8cddaf011daa766181032cb
SSDEEP

49152:0W5k8qE6volfYvHvsKaslnyd1T0kQvbGKEXWwfqe:lsXnPkyny/TxQ3Ex

Score

10^/10

amadey systembc e76b71 evasion execution persistence trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5068 powershell.exe
1188 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

services64.exeWindowsAutHost

description ioc process

File created C:\Windows\system32\drivers\etc\hosts services64.exe
File created C:\Windows\system32\drivers\etc\hosts WindowsAutHost
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
5068	powershell.exe
1188	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	services64.exe
File created	C:\Windows\system32\drivers\etc\hosts	WindowsAutHost

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe

Executes dropped EXE 10 IoCs

Processes:

axplong.exelrthijawd.exework.exejergs.exewekdca.exeservices64.exeWindowsAutHostaxplong.exewekdca.exeaxplong.exe

pid	process
1940	axplong.exe
4300	lrthijawd.exe
4708	work.exe
1620	jergs.exe
2044	wekdca.exe
1420	services64.exe
3288	WindowsAutHost
748	axplong.exe
3104	wekdca.exe
2904	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exe9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
Key opened	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine	axplong.exe

Drops file in System32 directory 5 IoCs

Processes:

services64.exepowershell.exeWindowsAutHostOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	services64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exeaxplong.exeservices64.exeWindowsAutHostaxplong.exeaxplong.exe

pid	process
3468	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
1940	axplong.exe
1420	services64.exe
1420	services64.exe
3288	WindowsAutHost
3288	WindowsAutHost
748	axplong.exe
2904	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

services64.exeWindowsAutHost

description	pid	process	target process
PID 1420 set thread context of 1536	1420	services64.exe	dialer.exe
PID 3288 set thread context of 2680	3288	WindowsAutHost	dialer.exe
PID 3288 set thread context of 3128	3288	WindowsAutHost	dialer.exe
PID 3288 set thread context of 1296	3288	WindowsAutHost	dialer.exe

Drops file in Windows directory 3 IoCs

Processes:

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exejergs.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
File created	C:\Windows\Tasks\wekdca.job	jergs.exe
File opened for modification	C:\Windows\Tasks\wekdca.job	jergs.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3932 sc.exe
4864 sc.exe
412 sc.exe
1800 sc.exe
3984 sc.exe
888 sc.exe
1428 sc.exe
2840 sc.exe
2976 sc.exe
484 sc.exe
3404 sc.exe
1232 sc.exe
2020 sc.exe
3932 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3932	sc.exe
4864	sc.exe
412	sc.exe
1800	sc.exe
3984	sc.exe
888	sc.exe
1428	sc.exe
2840	sc.exe
2976	sc.exe
484	sc.exe
3404	sc.exe
1232	sc.exe
2020	sc.exe
3932	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exesvchost.exeOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9978C964-30BF-4865-8D88-D53FC5CFA57E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 04 Jun 2024 16:26:46 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exeaxplong.exejergs.exeservices64.exepowershell.exedialer.exeWindowsAutHostpowershell.exe

pid	process
3468	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
3468	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
1940	axplong.exe
1940	axplong.exe
1620	jergs.exe
1620	jergs.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
5068	powershell.exe
5068	powershell.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1536	dialer.exe
1536	dialer.exe
1420	services64.exe
1420	services64.exe
1420	services64.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
3288	WindowsAutHost
3288	WindowsAutHost
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
1536	dialer.exe
3288	WindowsAutHost
1536	dialer.exe
1536	dialer.exe
1188	powershell.exe
1536	dialer.exe
1536	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeservices64.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeWindowsAutHostdialer.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1420	services64.exe
Token: SeDebugPrivilege	1536	dialer.exe
Token: SeShutdownPrivilege	568	powercfg.exe
Token: SeCreatePagefilePrivilege	568	powercfg.exe
Token: SeShutdownPrivilege	3372	powercfg.exe
Token: SeCreatePagefilePrivilege	3372	powercfg.exe
Token: SeShutdownPrivilege	4236	powercfg.exe
Token: SeCreatePagefilePrivilege	4236	powercfg.exe
Token: SeShutdownPrivilege	3536	powercfg.exe
Token: SeCreatePagefilePrivilege	3536	powercfg.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	3288	WindowsAutHost
Token: SeDebugPrivilege	2680	dialer.exe
Token: SeLockMemoryPrivilege	1296	dialer.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeCreatePagefilePrivilege	2004	powercfg.exe
Token: SeShutdownPrivilege	4152	powercfg.exe
Token: SeCreatePagefilePrivilege	4152	powercfg.exe
Token: SeShutdownPrivilege	2176	powercfg.exe
Token: SeCreatePagefilePrivilege	2176	powercfg.exe
Token: SeShutdownPrivilege	2060	powercfg.exe
Token: SeCreatePagefilePrivilege	2060	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2820	svchost.exe
Token: SeIncreaseQuotaPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeTakeOwnershipPrivilege	2820	svchost.exe
Token: SeLoadDriverPrivilege	2820	svchost.exe
Token: SeSystemtimePrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe
Token: SeShutdownPrivilege	2820	svchost.exe
Token: SeSystemEnvironmentPrivilege	2820	svchost.exe
Token: SeUndockPrivilege	2820	svchost.exe
Token: SeManageVolumePrivilege	2820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2820	svchost.exe
Token: SeIncreaseQuotaPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeTakeOwnershipPrivilege	2820	svchost.exe
Token: SeLoadDriverPrivilege	2820	svchost.exe
Token: SeSystemtimePrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe
Token: SeShutdownPrivilege	2820	svchost.exe
Token: SeSystemEnvironmentPrivilege	2820	svchost.exe
Token: SeUndockPrivilege	2820	svchost.exe
Token: SeManageVolumePrivilege	2820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2820	svchost.exe
Token: SeIncreaseQuotaPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeTakeOwnershipPrivilege	2820	svchost.exe
Token: SeLoadDriverPrivilege	2820	svchost.exe
Token: SeSystemtimePrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe
Token: SeShutdownPrivilege	2820	svchost.exe
Token: SeSystemEnvironmentPrivilege	2820	svchost.exe
Token: SeUndockPrivilege	2820	svchost.exe
Token: SeManageVolumePrivilege	2820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2820	svchost.exe
Token: SeIncreaseQuotaPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeTakeOwnershipPrivilege	2820	svchost.exe
Token: SeLoadDriverPrivilege	2820	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exeaxplong.exelrthijawd.execmd.exework.execmd.exeservices64.exedialer.exelsass.exe

description	pid	process	target process
PID 3468 wrote to memory of 1940	3468	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe	axplong.exe
PID 3468 wrote to memory of 1940	3468	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe	axplong.exe
PID 3468 wrote to memory of 1940	3468	9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe	axplong.exe
PID 1940 wrote to memory of 4300	1940	axplong.exe	lrthijawd.exe
PID 1940 wrote to memory of 4300	1940	axplong.exe	lrthijawd.exe
PID 4300 wrote to memory of 1928	4300	lrthijawd.exe	cmd.exe
PID 4300 wrote to memory of 1928	4300	lrthijawd.exe	cmd.exe
PID 1928 wrote to memory of 4708	1928	cmd.exe	work.exe
PID 1928 wrote to memory of 4708	1928	cmd.exe	work.exe
PID 4708 wrote to memory of 1620	4708	work.exe	jergs.exe
PID 4708 wrote to memory of 1620	4708	work.exe	jergs.exe
PID 4708 wrote to memory of 1620	4708	work.exe	jergs.exe
PID 1940 wrote to memory of 1420	1940	axplong.exe	services64.exe
PID 1940 wrote to memory of 1420	1940	axplong.exe	services64.exe
PID 436 wrote to memory of 2976	436	cmd.exe	wusa.exe
PID 436 wrote to memory of 2976	436	cmd.exe	wusa.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1420 wrote to memory of 1536	1420	services64.exe	dialer.exe
PID 1536 wrote to memory of 636	1536	dialer.exe	winlogon.exe
PID 1536 wrote to memory of 692	1536	dialer.exe	lsass.exe
PID 1536 wrote to memory of 988	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 396	1536	dialer.exe	dwm.exe
PID 1536 wrote to memory of 716	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 392	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1064	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1072	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1172	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1216	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1276	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1284	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1332	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1356	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1552	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1560	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1664	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1712	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1772	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1792	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1904	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1952	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1960	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1968	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 1464	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2120	1536	dialer.exe	spoolsv.exe
PID 1536 wrote to memory of 2232	1536	dialer.exe	svchost.exe
PID 692 wrote to memory of 2796	692	lsass.exe	sysmon.exe
PID 1536 wrote to memory of 2324	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2580	1536	dialer.exe	sihost.exe
PID 1536 wrote to memory of 2588	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2596	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2664	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2672	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2780	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2796	1536	dialer.exe	sysmon.exe
PID 1536 wrote to memory of 2808	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2820	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 2832	1536	dialer.exe	svchost.exe
PID 1536 wrote to memory of 3076	1536	dialer.exe	unsecapp.exe
PID 1536 wrote to memory of 3268	1536	dialer.exe	Explorer.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:396

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1172
- C:\ProgramData\tkbp\wekdca.exe
  C:\ProgramData\tkbp\wekdca.exe start2
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:748
- C:\ProgramData\tkbp\wekdca.exe
  C:\ProgramData\tkbp\wekdca.exe start2
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1332
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1464

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2780

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2832

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe
  "C:\Users\Admin\AppData\Local\Temp\9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\1000012001\lrthijawd.exe
      "C:\Users\Admin\AppData\Local\Temp\1000012001\lrthijawd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\1000014001\services64.exe
      "C:\Users\Admin\AppData\Local\Temp\1000014001\services64.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2976
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:484
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3404
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3932
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1232
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1800
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsAutHost"
        5⤵
        Launches sc.exe
        
        PID:3984
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2020
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4864
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsAutHost"
        5⤵
        Launches sc.exe
        
        PID:888
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5040

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1396

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1376

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5068
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1428
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3932
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2080
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2976
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:412
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:400
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1512
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3248
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3128
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1296

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3928

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:4492

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2616

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
df7d804a6e60f5d592d447ee310a6c62

SHA1
763cb8f697dd153d777e3977cf0b99a5873fb6f3

SHA256
e6c8082386fe79f75984cc4bb6e92877c24df55e6a35eb5f248abe833c82be03

SHA512
a812c1287d82d92d698674d2738a6e4cc838308f03cb72e36f3db097fe6529529878c6d8ba751ccb18fbde86338f173f1150db76e0b930384143f0d3d49d41e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
5363c995b76f68c4952885c4e446551b

SHA1
58dc611c102a9821cf7a6719b4f35a20378c0eb2

SHA256
2b3fb90dbbfb26a6ffd67409b608d645ac459340be86c588dd3b71a331f92297

SHA512
3ca1904c5a93037ff0fd645ab41af54a39f7fce2dbde0f2933cd1c7e94d214d5a07c00b22cbe2ea581bcfa8797a4e04776ea07436d752c604ac06d650dbec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\lrthijawd.exe

Filesize
898KB

MD5
1b1ecd323162c054864b63ada693cd71

SHA1
333a67545a5d1aad4d73a3501f7152b4529b6b3e

SHA256
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

SHA512
f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\services64.exe

Filesize
16.9MB

MD5
c8a50a6f1f73df72de866f6131346e69

SHA1
37d99d5a8254cead586931f8b0c9b4cf031e0b4d

SHA256
59e6a5009ce5e9547078db7f964bb8fc10ee999dd35b7e9243f119db8337aa8d

SHA512
9f9230c58ddb8f029421a494220023253d725105ac2575d4ecd818c139dfaf77c7d559c58b66d764d78f3ffa19296f05af6a5d02f795b22512e6979671f2d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe

Filesize
1.8MB

MD5
2d35ffff9a6d3a17eb3f27091669ded5

SHA1
9aee343d728b7d8958bbbc66cfc65d24cdf5e040

SHA256
9f64a26de6766efd56fff621726954bb50816012e8d57f512a5acfbf015cc433

SHA512
79af3e7ad577ad4a4d59cdc733ff1c22180ca258a17cc8a85886c81adb99fad5c815842acd8281776f04a1ec410b566392d62dd7d8cddaf011daa766181032cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
453KB

MD5
405b7fbe8c0ed98620064f0cd80f24c4

SHA1
bb9e45038e8a9f7b7cd0db62858ac65c74b74821

SHA256
9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

SHA512
3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0uxphqy2.v5m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
8ec9b858770ae71075f06a8ebc30210f

SHA1
e54f2d1bb0b25b5c59c2eb26a55ac9a1d09a1d08

SHA256
7c5a5eb9142e4cd3bbfbd9b9ed482c5a2471c3014f2449138783fe2b92f62339

SHA512
abef1fb612996bb1c5d59f55b6163cc481c3f0cdb260946762d6829ee3ab4b4ee8829b511e0462b168ebac039d055440547804e560aec8699820a85cdadff553

Download Submit
memory/392-131-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/392-130-0x00000131751D0000-0x00000131751FB000-memory.dmp

Filesize
172KB

Download
memory/396-120-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/396-119-0x000001C33BE60000-0x000001C33BE8B000-memory.dmp

Filesize
172KB

Download
memory/636-111-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/636-110-0x000001E364430000-0x000001E36445B000-memory.dmp

Filesize
172KB

Download
memory/636-109-0x000001E364400000-0x000001E364424000-memory.dmp

Filesize
144KB

Download
memory/692-114-0x0000022200460000-0x000002220048B000-memory.dmp

Filesize
172KB

Download
memory/692-115-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/716-126-0x0000029C614A0000-0x0000029C614CB000-memory.dmp

Filesize
172KB

Download
memory/716-127-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/748-607-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/748-609-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/988-122-0x00000226FA160000-0x00000226FA18B000-memory.dmp

Filesize
172KB

Download
memory/988-123-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/1064-139-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/1064-138-0x000001CED0D50000-0x000001CED0D7B000-memory.dmp

Filesize
172KB

Download
memory/1072-142-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/1072-141-0x0000016E920D0000-0x0000016E920FB000-memory.dmp

Filesize
172KB

Download
memory/1172-144-0x000001AC3E570000-0x000001AC3E59B000-memory.dmp

Filesize
172KB

Download
memory/1172-145-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/1188-391-0x0000024FDF4B0000-0x0000024FDF4BA000-memory.dmp

Filesize
40KB

Download
memory/1188-388-0x0000024FDF3E0000-0x0000024FDF493000-memory.dmp

Filesize
716KB

Download
memory/1188-387-0x0000024FDF3C0000-0x0000024FDF3DC000-memory.dmp

Filesize
112KB

Download
memory/1188-389-0x0000024FDF4A0000-0x0000024FDF4AA000-memory.dmp

Filesize
40KB

Download
memory/1188-390-0x0000024FDF4D0000-0x0000024FDF4EC000-memory.dmp

Filesize
112KB

Download
memory/1188-392-0x0000024FDF510000-0x0000024FDF52A000-memory.dmp

Filesize
104KB

Download
memory/1188-393-0x0000024FDF4C0000-0x0000024FDF4C8000-memory.dmp

Filesize
32KB

Download
memory/1188-394-0x0000024FDF4F0000-0x0000024FDF4F6000-memory.dmp

Filesize
24KB

Download
memory/1188-395-0x0000024FDF500000-0x0000024FDF50A000-memory.dmp

Filesize
40KB

Download
memory/1216-148-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/1216-147-0x0000019F6D570000-0x0000019F6D59B000-memory.dmp

Filesize
172KB

Download
memory/1276-151-0x00007FFA320F0000-0x00007FFA32100000-memory.dmp

Filesize
64KB

Download
memory/1276-150-0x0000026012DC0000-0x0000026012DEB000-memory.dmp

Filesize
172KB

Download
memory/1420-81-0x00007FFA72280000-0x00007FFA72282000-memory.dmp

Filesize
8KB

Download
memory/1420-80-0x00007FFA72270000-0x00007FFA72272000-memory.dmp

Filesize
8KB

Download
memory/1420-82-0x00007FF62AEF0000-0x00007FF62CC84000-memory.dmp

Filesize
29.6MB

Download
memory/1536-97-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1536-106-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1536-98-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1536-99-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1536-104-0x00007FFA71B10000-0x00007FFA71BCD000-memory.dmp

Filesize
756KB

Download
memory/1536-103-0x00007FFA72060000-0x00007FFA72269000-memory.dmp

Filesize
2.0MB

Download
memory/1536-100-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1536-102-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1940-56-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/1940-62-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/1940-18-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/1940-20-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/1940-63-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/1940-79-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/1940-19-0x0000000000281000-0x00000000002AF000-memory.dmp

Filesize
184KB

Download
memory/1940-21-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/2904-630-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/2904-632-0x0000000000280000-0x0000000000745000-memory.dmp

Filesize
4.8MB

Download
memory/3468-0-0x00000000000E0000-0x00000000005A5000-memory.dmp

Filesize
4.8MB

Download
memory/3468-16-0x00000000000E0000-0x00000000005A5000-memory.dmp

Filesize
4.8MB

Download
memory/3468-5-0x00000000000E0000-0x00000000005A5000-memory.dmp

Filesize
4.8MB

Download
memory/3468-3-0x00000000000E0000-0x00000000005A5000-memory.dmp

Filesize
4.8MB

Download
memory/3468-2-0x00000000000E1000-0x000000000010F000-memory.dmp

Filesize
184KB

Download
memory/3468-1-0x00000000775E6000-0x00000000775E8000-memory.dmp

Filesize
8KB

Download
memory/5068-93-0x0000014D2C480000-0x0000014D2C4A2000-memory.dmp

Filesize
136KB

Download