86f5405f75eb6d9690e453a33e7a3fe295f14768a6d74ded401e9b5be20187f9

Analysis

max time kernel
120s
max time network
110s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47074dbd10aafc67df34adefac3d0fc0N.exe
Size

4.7MB
MD5

47074dbd10aafc67df34adefac3d0fc0
SHA1

143477766ae66727e311d4d0197803232ccac240
SHA256

86f5405f75eb6d9690e453a33e7a3fe295f14768a6d74ded401e9b5be20187f9
SHA512

bab199ef6f6f79de1e402eaa9a9f0b621b75a49e8e0136d63f441ab6a06633acb902b21d0cc3708d93537036d58b7ca900eff5c8951f5629e36a78569a3818c8
SSDEEP

98304:1H5MPEcnPLf8rQp551zx0w38HSbUbBpkI9Aq0K2TLs4:1H2/+Qp5jNREyIt0NTY4

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2064	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\OCTIXTRR\ImagePath = "C:\\ProgramData\\xjdqjwmcjruc\\ynyaxftjxjtb.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 14 IoCs

pid	Process
1800	7z.exe
2716	7z.exe
2824	7z.exe
2832	7z.exe
2812	7z.exe
732	7z.exe
2876	7z.exe
3064	7z.exe
2088	7z.exe
860	7z.exe
1976	7z.exe
1648	7z.exe
1180	Installer.exe
1324	ynyaxftjxjtb.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 28 IoCs

pid	Process
2080	cmd.exe
1800	7z.exe
2080	cmd.exe
2716	7z.exe
2080	cmd.exe
2824	7z.exe
2080	cmd.exe
2832	7z.exe
2080	cmd.exe
2812	7z.exe
2080	cmd.exe
732	7z.exe
2080	cmd.exe
2876	7z.exe
2080	cmd.exe
3064	7z.exe
2080	cmd.exe
2088	7z.exe
2080	cmd.exe
860	7z.exe
2080	cmd.exe
1976	7z.exe
2080	cmd.exe
1648	7z.exe
2080	cmd.exe
2080	cmd.exe
476	services.exe
476	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Installer.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ynyaxftjxjtb.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1180 set thread context of 712	1180	Installer.exe	63
PID 1324 set thread context of 2952	1324	ynyaxftjxjtb.exe	88
PID 1324 set thread context of 2396	1324	ynyaxftjxjtb.exe	89
PID 1324 set thread context of 2236	1324	ynyaxftjxjtb.exe	90

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2612	sc.exe
1648	sc.exe
560	sc.exe
448	sc.exe
2380	sc.exe
2084	sc.exe
3048	sc.exe
2956	sc.exe
1668	sc.exe
1964	sc.exe
912	sc.exe
1472	sc.exe
1372	sc.exe
1620	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47074dbd10aafc67df34adefac3d0fc0N.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0e4bd7a7eddda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	Installer.exe
2860	powershell.exe
1180	Installer.exe
1180	Installer.exe
1180	Installer.exe
1180	Installer.exe
1180	Installer.exe
1180	Installer.exe
1180	Installer.exe
1180	Installer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
1180	Installer.exe
712	dialer.exe
712	dialer.exe
1180	Installer.exe
1180	Installer.exe
1324	ynyaxftjxjtb.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
2064	powershell.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
712	dialer.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
1324	ynyaxftjxjtb.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
1324	ynyaxftjxjtb.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe
2952	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1800	7z.exe
Token: 35	1800	7z.exe
Token: SeSecurityPrivilege	1800	7z.exe
Token: SeSecurityPrivilege	1800	7z.exe
Token: SeRestorePrivilege	2716	7z.exe
Token: 35	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeRestorePrivilege	2824	7z.exe
Token: 35	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeRestorePrivilege	2832	7z.exe
Token: 35	2832	7z.exe
Token: SeSecurityPrivilege	2832	7z.exe
Token: SeSecurityPrivilege	2832	7z.exe
Token: SeRestorePrivilege	2812	7z.exe
Token: 35	2812	7z.exe
Token: SeSecurityPrivilege	2812	7z.exe
Token: SeSecurityPrivilege	2812	7z.exe
Token: SeRestorePrivilege	732	7z.exe
Token: 35	732	7z.exe
Token: SeSecurityPrivilege	732	7z.exe
Token: SeSecurityPrivilege	732	7z.exe
Token: SeRestorePrivilege	2876	7z.exe
Token: 35	2876	7z.exe
Token: SeSecurityPrivilege	2876	7z.exe
Token: SeSecurityPrivilege	2876	7z.exe
Token: SeRestorePrivilege	3064	7z.exe
Token: 35	3064	7z.exe
Token: SeSecurityPrivilege	3064	7z.exe
Token: SeSecurityPrivilege	3064	7z.exe
Token: SeRestorePrivilege	2088	7z.exe
Token: 35	2088	7z.exe
Token: SeSecurityPrivilege	2088	7z.exe
Token: SeSecurityPrivilege	2088	7z.exe
Token: SeRestorePrivilege	860	7z.exe
Token: 35	860	7z.exe
Token: SeSecurityPrivilege	860	7z.exe
Token: SeSecurityPrivilege	860	7z.exe
Token: SeRestorePrivilege	1976	7z.exe
Token: 35	1976	7z.exe
Token: SeSecurityPrivilege	1976	7z.exe
Token: SeSecurityPrivilege	1976	7z.exe
Token: SeRestorePrivilege	1648	7z.exe
Token: 35	1648	7z.exe
Token: SeSecurityPrivilege	1648	7z.exe
Token: SeSecurityPrivilege	1648	7z.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	712	dialer.exe
Token: SeAuditPrivilege	852	svchost.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2952	dialer.exe
Token: SeLockMemoryPrivilege	2236	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2080	1440	47074dbd10aafc67df34adefac3d0fc0N.exe	31
PID 1440 wrote to memory of 2080	1440	47074dbd10aafc67df34adefac3d0fc0N.exe	31
PID 1440 wrote to memory of 2080	1440	47074dbd10aafc67df34adefac3d0fc0N.exe	31
PID 1440 wrote to memory of 2080	1440	47074dbd10aafc67df34adefac3d0fc0N.exe	31
PID 2080 wrote to memory of 2760	2080	cmd.exe	33
PID 2080 wrote to memory of 2760	2080	cmd.exe	33
PID 2080 wrote to memory of 2760	2080	cmd.exe	33
PID 2080 wrote to memory of 1800	2080	cmd.exe	34
PID 2080 wrote to memory of 1800	2080	cmd.exe	34
PID 2080 wrote to memory of 1800	2080	cmd.exe	34
PID 2080 wrote to memory of 2716	2080	cmd.exe	35
PID 2080 wrote to memory of 2716	2080	cmd.exe	35
PID 2080 wrote to memory of 2716	2080	cmd.exe	35
PID 2080 wrote to memory of 2824	2080	cmd.exe	36
PID 2080 wrote to memory of 2824	2080	cmd.exe	36
PID 2080 wrote to memory of 2824	2080	cmd.exe	36
PID 2080 wrote to memory of 2832	2080	cmd.exe	37
PID 2080 wrote to memory of 2832	2080	cmd.exe	37
PID 2080 wrote to memory of 2832	2080	cmd.exe	37
PID 2080 wrote to memory of 2812	2080	cmd.exe	38
PID 2080 wrote to memory of 2812	2080	cmd.exe	38
PID 2080 wrote to memory of 2812	2080	cmd.exe	38
PID 2080 wrote to memory of 732	2080	cmd.exe	39
PID 2080 wrote to memory of 732	2080	cmd.exe	39
PID 2080 wrote to memory of 732	2080	cmd.exe	39
PID 2080 wrote to memory of 2876	2080	cmd.exe	40
PID 2080 wrote to memory of 2876	2080	cmd.exe	40
PID 2080 wrote to memory of 2876	2080	cmd.exe	40
PID 2080 wrote to memory of 3064	2080	cmd.exe	41
PID 2080 wrote to memory of 3064	2080	cmd.exe	41
PID 2080 wrote to memory of 3064	2080	cmd.exe	41
PID 2080 wrote to memory of 2088	2080	cmd.exe	42
PID 2080 wrote to memory of 2088	2080	cmd.exe	42
PID 2080 wrote to memory of 2088	2080	cmd.exe	42
PID 2080 wrote to memory of 860	2080	cmd.exe	43
PID 2080 wrote to memory of 860	2080	cmd.exe	43
PID 2080 wrote to memory of 860	2080	cmd.exe	43
PID 2080 wrote to memory of 1976	2080	cmd.exe	44
PID 2080 wrote to memory of 1976	2080	cmd.exe	44
PID 2080 wrote to memory of 1976	2080	cmd.exe	44
PID 2080 wrote to memory of 1648	2080	cmd.exe	45
PID 2080 wrote to memory of 1648	2080	cmd.exe	45
PID 2080 wrote to memory of 1648	2080	cmd.exe	45
PID 2080 wrote to memory of 1768	2080	cmd.exe	46
PID 2080 wrote to memory of 1768	2080	cmd.exe	46
PID 2080 wrote to memory of 1768	2080	cmd.exe	46
PID 2080 wrote to memory of 1180	2080	cmd.exe	47
PID 2080 wrote to memory of 1180	2080	cmd.exe	47
PID 2080 wrote to memory of 1180	2080	cmd.exe	47
PID 3048 wrote to memory of 2188	3048	cmd.exe	54
PID 3048 wrote to memory of 2188	3048	cmd.exe	54
PID 3048 wrote to memory of 2188	3048	cmd.exe	54
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 1180 wrote to memory of 712	1180	Installer.exe	63
PID 712 wrote to memory of 432	712	dialer.exe	5
PID 712 wrote to memory of 476	712	dialer.exe	6
PID 712 wrote to memory of 492	712	dialer.exe	7
PID 712 wrote to memory of 500	712	dialer.exe	8
PID 712 wrote to memory of 588	712	dialer.exe	9

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1768	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1312
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:752
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:1236
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1160
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:280
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:344
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1064
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1104
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2992
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1152
- C:\ProgramData\xjdqjwmcjruc\ynyaxftjxjtb.exe
  C:\ProgramData\xjdqjwmcjruc\ynyaxftjxjtb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2188
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:912
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2396
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2236

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\47074dbd10aafc67df34adefac3d0fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\47074dbd10aafc67df34adefac3d0fc0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p12604498994588938250375 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_11.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_10.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_9.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_8.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_7.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:732
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_6.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_5.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_4.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:860
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\system32\attrib.exe
      attrib +H "Installer.exe"
      4⤵
      Views/modifies file attributes
      PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
      "Installer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:2188
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2612
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2956
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1472
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:448
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2380
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:712
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OCTIXTRR"
        5⤵
        Launches sc.exe
        
        PID:1372
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OCTIXTRR" binpath= "C:\ProgramData\xjdqjwmcjruc\ynyaxftjxjtb.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2084
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1648
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OCTIXTRR"
        5⤵
        Launches sc.exe
        
        PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "640435130-206852568624265002-16520692-2734125681194663079-1862391975-1888964590"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-625051191275494369-16265054761212276418-1942227903476283840-9050258021236529273"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "881588685-14439843861661100911996126392074722381804536456867446147-1897631339"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1350518213-1691097746-1474280694-9163543494203761561035738089-1733338592-2092862287"
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
4e74bce257fbb2d71339bc83db840310

SHA1
8fd44598178405185350d5e288ad73feecc4561f

SHA256
dd80447c97f607215591459d472d8c95f03af311bd0500062817f2c4a1f6602a

SHA512
a55dafa2486137ca6bdb995dd686fa083af45f5069b486d1a0d8c99af25608fbf0d2bc31fe2ff4eb01f5273803a2cc6003050e8d1d206f63b03afe82d04d57a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
2.8MB

MD5
016541675e346c0a86f50c8520799cb5

SHA1
dc087490bd078a37ec95772cc8a9aae01c28ffb5

SHA256
7e524500b933c50ccb7c2a0d691c61fa69597be695fa0644825be7ea63ae6f45

SHA512
7bb032ae6dd31612133a81d7459270ac5912bae63a1960fcc7accf8815d8dfcc8fe305aec984d933178b6fa30a515ecaffe14d8afd37d8e25b17b4eee23e51d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
2.2MB

MD5
8d630c0e42d493cec412b1be889eaebe

SHA1
f587aab374dff28453150087d379e253c0a3512a

SHA256
4d662daa4e55f1241faffe804f1b417d4f3a3d96988ffe2f32076a5d8267ff8d

SHA512
8703aecc864a1acec50760fee7ff88abbd0135a0059aa160891a4fdc8b3a044f2e9361e5e686bb6f22d24d0ca1d7f72443f7638b2ff396e5ed9e4f7673358fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
2.2MB

MD5
3247e971c2d98e8baa09d90778d3a591

SHA1
f660b1c88d9d841a96ee5c73c628cae4b3df71c8

SHA256
efa14f29555a49b50e0651ea1675232106557309c094f8db80d1976846e9f954

SHA512
5c51c8a26833de7092fe5a30c009796c28bfb2c24983f2896e6e132a857602448d4ecee02c93d5ff6ac158a7f2a47a13263e3f6e570b02ba8c2f69f1c3a5838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip

Filesize
3.8MB

MD5
3e67b8394eea5163de4d9b9e9ed0e7c3

SHA1
8eb582e93beb7a85e3e72beba8fa2a1a01f37e2c

SHA256
4b16f015b6b7b8501a72918f18d4cbebf8284480704266be30cd375c99e301fd

SHA512
0e8c51af73c2fce75d74ad9bfe832169057ea7b6294f614068046d974eb5c5a37c4e6d4d9013692c5a71b4cb46c948d1d620b890238f60548f968d7e6aba544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
2.2MB

MD5
211ec6ab5c6ae29f786a5a0c4ca64871

SHA1
a00acc9b72654677d38449eda472157bf935714e

SHA256
7948ebaed8d8985c43d09a357bbbaaa0abc1a595ee71dd884dd28a0318a84605

SHA512
d34f1af3649595fb0c48a90e6185cd0bcddec23c4ab99844b584af602df19eab8f573ab561b8174ac62be241ae15db73d51540e761e0ef88b6cddbbecd0b9f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
2.2MB

MD5
6bcaa675177722ba1051149196b2b70b

SHA1
24964ad37dc7789fb9827569a115458fccb070e3

SHA256
6412077356e61588d22455a1257317badad325198192d0a35f6c55215eb43b8b

SHA512
7ad0f8a0f320d11ec46de42a0da6ebfc78c1872052b15f9d776bcd271b760e0ab2b2b9286d181d35be7925d09b3384b72202dcf8114842d190bbb3fc0dc321f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
2.2MB

MD5
194ffc1e37981e0deafab3d4770ab0af

SHA1
0a4fc302624f776c9398896c701a52b821deb7b1

SHA256
da56c39ad6b1d99d8dfb0c73d0cc554347b3704476f06ea2eb641610266c8acf

SHA512
648c51d767ee3891aaa4f64d5719dd70421b20d3da6db533d6d51d3ea53c771c813d554110dcc2589453f8570f06140e5eac39842208d6f1986ece72f2fd81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
2.2MB

MD5
da093f4624c7b9c1a9f1b98b4eaf2eb3

SHA1
ee37b7458d426d1be5a5d2cb710c9dd43ed1bdf8

SHA256
2cec1875eee32be0a5f870ac48df5b34d642d3940990603bb915faf74358aa5e

SHA512
3a36abe8def974329100c3a50e47e31ed44b75c00e9668081e6429418476d1a1df7a42f93bde57381a89bd3419afaf1c406f2e1b69e769b1649ce9878b5ac593

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
2.2MB

MD5
8432c273a0ac2282d697acab3bba2c14

SHA1
8c26b02f2a07d71aed2d62b67d95a2bda7d71eef

SHA256
599662f0eb3e42e2e797dba6d7264c7bdef9c03778290c10894b62cc545e32c4

SHA512
2e3b8907eafb9a7b69ffa1a48e46b7dc4a522745cd898c9cdd57d5ec2bb02b149dd47158678581f6f6db569b533cfabab4506573972f1afb9efe6d26f9002002

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
2.2MB

MD5
09ad8c6e1303f77bd6e81f2ff413d1f1

SHA1
0455a0191bbc2222693bc421cd39f2d212ac4408

SHA256
fdd05067a0febfb9d997a8ab3f5a0bcd0a3fc1e5e382aac3b790bc7bd8fdf43d

SHA512
2ad654347288c47a2bddaec0edd2622a08e1a4c91b41f1ecc3d5767e1d0c86e2e7c148aacb57f385702f6d032b6b36ed86b5f1433f6de2cd14db7af93f3b2cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
2.2MB

MD5
20e6892f49490e3f92ac546b94c5a8c6

SHA1
7f55f622cab162126504e32899fcfbd4e59db967

SHA256
000efc8797901ef9d32e4d158cb3f3b5b0e1e00cf6debb5403cd11e4037f0387

SHA512
69607d48e740cfdb0b2ef5af3646d60e69eab72cd790f421b519eeea9b638f3dc18530d66931db06a98c1fc98f13122e7e402328a8f02bb531df2b35acf8c1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
2.2MB

MD5
5b0cb315164124191160fd549254a010

SHA1
5f47cf51d65596ca35d370809445390e5d15de78

SHA256
5daaf294c1d61c89d65866e20f9b67f62d02b67c8b8cae3c3f57ae2f7819c035

SHA512
709163a548f9a0850030e0292b5bc13a4a62ed284a05e4196cf49b95da19829ccf5493411e36d443993631ca2d7e5a1724678a39619e6b368426f47a6c0b3eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.8MB

MD5
9d50ceb5878f89f5c0d778f3abc371a7

SHA1
0079107c32de3e6bd273e139b69625daaa11a532

SHA256
1b41427b51f6dc744aee882414ccf0dd0f0caa835d5a37925a143ef891db30df

SHA512
2e46fd377aab48f0f4add1e69ff304806fb2fd1d71265d163669d8aa006c5d94bff1b4fe0dadeda75e18d996414cf8142523d8e8c180a890d7fc773311e2b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
470B

MD5
10de169da3e02a2eafc4630442d2dde6

SHA1
7864af241e714af7ae13e9714b28fea1a9f1eb2b

SHA256
c7a2d19076e5e9c29e89d5a6a7c28fb27b0d79dd22e4fe58a0a414dff1678c92

SHA512
75b4e8f0d162da27f8c1553c4b727991e5388472d00a1145288a77bc5370868ed5d86a9940b3d7cdd21110aefd1e90bb9763bb82bea108d5a8c2790ed32174a8

Download Submit
memory/432-127-0x0000000000C10000-0x0000000000C34000-memory.dmp

Filesize
144KB

Download
memory/432-130-0x0000000000C40000-0x0000000000C6B000-memory.dmp

Filesize
172KB

Download
memory/432-129-0x0000000000C10000-0x0000000000C34000-memory.dmp

Filesize
144KB

Download
memory/432-131-0x000007FEBDA90000-0x000007FEBDAA0000-memory.dmp

Filesize
64KB

Download
memory/432-132-0x00000000378C0000-0x00000000378D0000-memory.dmp

Filesize
64KB

Download
memory/476-179-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/712-124-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/712-123-0x0000000077760000-0x000000007787F000-memory.dmp

Filesize
1.1MB

Download
memory/712-119-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/712-116-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/712-122-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/712-118-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/712-117-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/712-121-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2064-353-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/2064-352-0x000000001A2B0000-0x000000001A592000-memory.dmp

Filesize
2.9MB

Download
memory/2860-115-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2860-114-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download