growtopia | 965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef

General

Target

GXBuilder.exe
Size

12.9MB
MD5

de6416915830c63685b6771684689d36
SHA1

f3516b1816295056c870e3c15a52aafbf4e9aab3
SHA256

965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef
SHA512

7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7
SSDEEP

393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm

Score

10^/10

growtopia xenorat evasion execution persistence pyinstaller rat stealer trojan

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2820 powershell.exe
3220 powershell.exe
3700 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

Processes:

Ilkdt.exeWinHostMgr.exeWinErrorMgr.exeSahyui1337.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exeWinErrorMgr.exebauwrdgwodhv.exe

pid	process
2792	Ilkdt.exe
2528	WinHostMgr.exe
2864	WinErrorMgr.exe
1636	Sahyui1337.exe
1048	KeyGeneratorTOP.exe
3040	KeyGeneratorTOP.exe
1824	WinErrorMgr.exe
476
3676	bauwrdgwodhv.exe

Loads dropped DLL 11 IoCs

Processes:

GXBuilder.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exeWinErrorMgr.exe

pid	process
1028	GXBuilder.exe
1028	GXBuilder.exe
1028	GXBuilder.exe
1028	GXBuilder.exe
1028	GXBuilder.exe
1028	GXBuilder.exe
988
1048	KeyGeneratorTOP.exe
3040	KeyGeneratorTOP.exe
2864	WinErrorMgr.exe
476

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
9 pastebin.com
2 discord.com
3 discord.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3956 powercfg.exe
3488 powercfg.exe
3496 powercfg.exe
3504 powercfg.exe
3512 powercfg.exe
3932 powercfg.exe
3940 powercfg.exe
3948 powercfg.exe

flow	ioc
8	pastebin.com
9	pastebin.com
2	discord.com
3	discord.com

pid	process
3956	powercfg.exe
3488	powercfg.exe
3496	powercfg.exe
3504	powercfg.exe
3512	powercfg.exe
3932	powercfg.exe
3940	powercfg.exe
3948	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeWinHostMgr.exepowershell.exebauwrdgwodhv.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bauwrdgwodhv.exe

description	pid	process	target process
PID 3676 set thread context of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 set thread context of 4048	3676	bauwrdgwodhv.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3632	sc.exe
3320	sc.exe
3520	sc.exe
3460	sc.exe
3596	sc.exe
3768	sc.exe
3356	sc.exe
3388	sc.exe
3884	sc.exe
3908	sc.exe
3640	sc.exe
3812	sc.exe
3432	sc.exe
3848	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 701efc8035ceda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

7136 schtasks.exe

pid	process
7136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSahyui1337.exeWinHostMgr.exepowershell.exebauwrdgwodhv.exepowershell.exeexplorer.exe

pid	process
2820	powershell.exe
1636	Sahyui1337.exe
1636	Sahyui1337.exe
2528	WinHostMgr.exe
3220	powershell.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
2528	WinHostMgr.exe
3676	bauwrdgwodhv.exe
3700	powershell.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
3676	bauwrdgwodhv.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe
4048	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Ilkdt.exepowershell.exeSahyui1337.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2792	Ilkdt.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1636	Sahyui1337.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeShutdownPrivilege	3504	powercfg.exe
Token: SeShutdownPrivilege	3488	powercfg.exe
Token: SeShutdownPrivilege	3496	powercfg.exe
Token: SeShutdownPrivilege	3512	powercfg.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeShutdownPrivilege	3940	powercfg.exe
Token: SeShutdownPrivilege	3932	powercfg.exe
Token: SeShutdownPrivilege	3956	powercfg.exe
Token: SeShutdownPrivilege	3948	powercfg.exe
Token: SeLockMemoryPrivilege	4048	explorer.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

GXBuilder.exeKeyGeneratorTOP.exeWinErrorMgr.exeWinErrorMgr.execmd.execmd.exebauwrdgwodhv.exe

description	pid	process	target process
PID 1028 wrote to memory of 2820	1028	GXBuilder.exe	powershell.exe
PID 1028 wrote to memory of 2820	1028	GXBuilder.exe	powershell.exe
PID 1028 wrote to memory of 2820	1028	GXBuilder.exe	powershell.exe
PID 1028 wrote to memory of 2820	1028	GXBuilder.exe	powershell.exe
PID 1028 wrote to memory of 2792	1028	GXBuilder.exe	Ilkdt.exe
PID 1028 wrote to memory of 2792	1028	GXBuilder.exe	Ilkdt.exe
PID 1028 wrote to memory of 2792	1028	GXBuilder.exe	Ilkdt.exe
PID 1028 wrote to memory of 2792	1028	GXBuilder.exe	Ilkdt.exe
PID 1028 wrote to memory of 2528	1028	GXBuilder.exe	WinHostMgr.exe
PID 1028 wrote to memory of 2528	1028	GXBuilder.exe	WinHostMgr.exe
PID 1028 wrote to memory of 2528	1028	GXBuilder.exe	WinHostMgr.exe
PID 1028 wrote to memory of 2528	1028	GXBuilder.exe	WinHostMgr.exe
PID 1028 wrote to memory of 2864	1028	GXBuilder.exe	WinErrorMgr.exe
PID 1028 wrote to memory of 2864	1028	GXBuilder.exe	WinErrorMgr.exe
PID 1028 wrote to memory of 2864	1028	GXBuilder.exe	WinErrorMgr.exe
PID 1028 wrote to memory of 2864	1028	GXBuilder.exe	WinErrorMgr.exe
PID 1028 wrote to memory of 1636	1028	GXBuilder.exe	Sahyui1337.exe
PID 1028 wrote to memory of 1636	1028	GXBuilder.exe	Sahyui1337.exe
PID 1028 wrote to memory of 1636	1028	GXBuilder.exe	Sahyui1337.exe
PID 1028 wrote to memory of 1636	1028	GXBuilder.exe	Sahyui1337.exe
PID 1028 wrote to memory of 1048	1028	GXBuilder.exe	KeyGeneratorTOP.exe
PID 1028 wrote to memory of 1048	1028	GXBuilder.exe	KeyGeneratorTOP.exe
PID 1028 wrote to memory of 1048	1028	GXBuilder.exe	KeyGeneratorTOP.exe
PID 1028 wrote to memory of 1048	1028	GXBuilder.exe	KeyGeneratorTOP.exe
PID 1048 wrote to memory of 3040	1048	KeyGeneratorTOP.exe	KeyGeneratorTOP.exe
PID 1048 wrote to memory of 3040	1048	KeyGeneratorTOP.exe	KeyGeneratorTOP.exe
PID 1048 wrote to memory of 3040	1048	KeyGeneratorTOP.exe	KeyGeneratorTOP.exe
PID 2864 wrote to memory of 1824	2864	WinErrorMgr.exe	WinErrorMgr.exe
PID 2864 wrote to memory of 1824	2864	WinErrorMgr.exe	WinErrorMgr.exe
PID 2864 wrote to memory of 1824	2864	WinErrorMgr.exe	WinErrorMgr.exe
PID 2864 wrote to memory of 1824	2864	WinErrorMgr.exe	WinErrorMgr.exe
PID 1824 wrote to memory of 7136	1824	WinErrorMgr.exe	schtasks.exe
PID 1824 wrote to memory of 7136	1824	WinErrorMgr.exe	schtasks.exe
PID 1824 wrote to memory of 7136	1824	WinErrorMgr.exe	schtasks.exe
PID 1824 wrote to memory of 7136	1824	WinErrorMgr.exe	schtasks.exe
PID 3312 wrote to memory of 3372	3312	cmd.exe	wusa.exe
PID 3312 wrote to memory of 3372	3312	cmd.exe	wusa.exe
PID 3312 wrote to memory of 3372	3312	cmd.exe	wusa.exe
PID 3760 wrote to memory of 3804	3760	cmd.exe	wusa.exe
PID 3760 wrote to memory of 3804	3760	cmd.exe	wusa.exe
PID 3760 wrote to memory of 3804	3760	cmd.exe	wusa.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 3964	3676	bauwrdgwodhv.exe	conhost.exe
PID 3676 wrote to memory of 4048	3676	bauwrdgwodhv.exe	explorer.exe
PID 3676 wrote to memory of 4048	3676	bauwrdgwodhv.exe	explorer.exe
PID 3676 wrote to memory of 4048	3676	bauwrdgwodhv.exe	explorer.exe
PID 3676 wrote to memory of 4048	3676	bauwrdgwodhv.exe	explorer.exe
PID 3676 wrote to memory of 4048	3676	bauwrdgwodhv.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\GXBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\GXBuilder.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:3372

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:3320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3356

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:3388

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:3432

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:3460

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GMDTJRUT"
3⤵
- Launches sc.exe
PID:3520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3632

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GMDTJRUT"
3⤵
- Launches sc.exe
PID:3640

C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB912.tmp" /F
4⤵
- Scheduled Task/Job: Scheduled Task
PID:7136

C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:3804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:3768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3848

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3908

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3964

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

Power Settings

Scheduled Task/Job

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
Filesize
6.9MB

MD5
bd0e4823fbfed11abb6994db7d0e6c09

SHA1
8694f5a67686070fc81445edebef8ead6c38aca8

SHA256
a83dc0d4764f8e41e061dd4e331f341b09cc994fc339fed2445692df7b98affe

SHA512
37f7e77407571c8f4ac298a4580610b0787e7cf8c8993e6816895a1caa71e0c4d97b72f525b9f054071fbf14bf9e87c48c67b39dcc01448213a995d036ff84e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
Filesize
5.0MB

MD5
e222309197c5e633aa8e294ba4bdcd29

SHA1
52b3f89a3d2262bf603628093f6d1e71d9cc3820

SHA256
047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

SHA512
9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\python312.dll
Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB912.tmp
Filesize
1KB

MD5
7f673f709ab0e7278e38f0fd8e745cd4

SHA1
ac504108a274b7051e3b477bcd51c9d1a4a01c2c

SHA256
da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

SHA512
e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XI8SLI8KR9TXOWD4ZWUK.temp
Filesize
7KB

MD5
44a821f8d75220a7643212b2b321c3c7

SHA1
7b822d776af6c896b64036476a62fe38d5de40a0

SHA256
d6d1d50ae40b19585555609c5ff52e52aa64be670ab25e4d8c0a4041ae08828d

SHA512
6ee4d06ed97ca829b970c90608dad268ed47a9ef41fd58fc50efa30c991a2c2fa39436092e69aa76741cbe449fd23ab645a09d077434bca45ef2270a134bf3bd

Download Submit
\Users\Admin\AppData\Local\Temp\Ilkdt.exe
Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
memory/1636-50-0x0000000001130000-0x0000000001184000-memory.dmp

Filesize
336KB

Download
memory/1824-425-0x00000000010B0000-0x00000000010C0000-memory.dmp

Filesize
64KB

Download
memory/2792-287-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-277-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-312-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-310-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-308-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-306-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-304-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-302-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-299-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-297-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-295-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-293-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-291-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-289-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-316-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-285-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-283-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-281-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-279-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-314-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-275-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-273-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-271-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-269-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-267-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-265-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-263-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-261-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-258-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-255-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-253-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-252-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-318-0x0000000000570000-0x00000000005D5000-memory.dmp

Filesize
404KB

Download
memory/2792-56-0x0000000000570000-0x00000000005DC000-memory.dmp

Filesize
432KB

Download
memory/2792-43-0x0000000001250000-0x0000000001286000-memory.dmp

Filesize
216KB

Download
memory/2864-46-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3220-1672-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/3220-1673-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/3700-1679-0x0000000019F00000-0x000000001A1E2000-memory.dmp

Filesize
2.9MB

Download
memory/3700-1680-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads