Overview
overview
10Static
static
3Expensive 3.1.exe
windows10-1703-x64
10Expensive 3.1.exe
windows10-2004-x64
10Expensive 3.1.exe
windows11-21h2-x64
10Expensive 3.1.exe
android-10-x64
Expensive 3.1.exe
android-11-x64
Expensive 3.1.exe
android-13-x64
Expensive 3.1.exe
android-9-x86
Expensive 3.1.exe
macos-10.15-amd64
1Expensive 3.1.exe
debian-12-armhf
Expensive 3.1.exe
debian-12-mipsel
Expensive 3.1.exe
debian-9-armhf
Expensive 3.1.exe
debian-9-mips
Expensive 3.1.exe
debian-9-mipsel
Expensive 3.1.exe
ubuntu-18.04-amd64
Expensive 3.1.exe
ubuntu-20.04-amd64
Expensive 3.1.exe
ubuntu-22.04-amd64
Expensive 3.1.exe
ubuntu-24.04-amd64
Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25/07/2024, 14:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Expensive 3.1.exe
Resource
win10-20240404-en
windows10-1703-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
Expensive 3.1.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
26 signatures
150 seconds
Behavioral task
behavioral3
Sample
Expensive 3.1.exe
Resource
win11-20240709-en
windows11-21h2-x64
28 signatures
150 seconds
Behavioral task
behavioral4
Sample
Expensive 3.1.exe
Resource
android-x64-20240624-en
android-10-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
Expensive 3.1.exe
Resource
android-x64-arm64-20240624-en
android-11-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Expensive 3.1.exe
Resource
android-33-x64-arm64-20240624-en
android-13-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
Expensive 3.1.exe
Resource
android-x86-arm-20240624-en
android-9-x86
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
Expensive 3.1.exe
Resource
macos-20240711.1-en
macos-10.15-amd64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
Expensive 3.1.exe
Resource
debian12-armhf-20240221-en
debian-12-armhf
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
Expensive 3.1.exe
Resource
debian12-mipsel-20240418-en
debian-12-mipsel
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
Expensive 3.1.exe
Resource
debian9-armhf-20240611-en
debian-9-armhf
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
Expensive 3.1.exe
Resource
debian9-mipsbe-20240611-en
debian-9-mips
0 signatures
150 seconds
Behavioral task
behavioral13
Sample
Expensive 3.1.exe
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
Expensive 3.1.exe
Resource
ubuntu1804-amd64-20240508-en
ubuntu-18.04-amd64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
Expensive 3.1.exe
Resource
ubuntu2004-amd64-20240611-en
ubuntu-20.04-amd64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
Expensive 3.1.exe
Resource
ubuntu2204-amd64-20240522.1-en
ubuntu-22.04-amd64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
Expensive 3.1.exe
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
0 signatures
150 seconds
General
-
Target
Expensive 3.1.exe
-
Size
343KB
-
MD5
349469d67bda79cbde42c69d22500043
-
SHA1
39d538c92e482ceddde34b111b8ee66acc2f0384
-
SHA256
76567d6429bea0f062e44f8fad032a4f73816a91d1c7420b1d252547ee98046a
-
SHA512
8492d61db9d0828e20102dfa71ae4235baa213f808139053918b5a324858a2291d9d4eacf263273c44067fff2133f9248ed8eeaf9dbbb60d733e521d0a01a9bc
-
SSDEEP
6144:+XqQgll2xU4Lt0gCie6VlWT8b93nwZWrkqKQXnYbTY2At:IourPVle8Y3At
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe" Expensive 3.1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdMicrosoft SQL Server Management Studio.exe" Expensive 3.1.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdwinlogon = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\xdwdMicrosoft Project.exe" Expensive 3.1.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe File created C:\Windows\xdwd.dll Expensive 3.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3308 timeout.exe 1808 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Kills process with taskkill 2 IoCs
pid Process 4680 taskkill.exe 4072 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 29 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80707004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000678f0251a0deda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000682ee150a0deda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000003631b1288a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065867241975" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4576 schtasks.exe 3336 schtasks.exe 1808 schtasks.exe 220 schtasks.exe 916 schtasks.exe 2400 schtasks.exe 2856 schtasks.exe 4948 schtasks.exe 608 schtasks.exe 164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4504 WmiApSrv.exe 4504 WmiApSrv.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe 4704 Expensive 3.1.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4704 Expensive 3.1.exe Token: SeDebugPrivilege 4680 taskkill.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe Token: SeShutdownPrivilege 3512 explorer.exe Token: SeCreatePagefilePrivilege 3512 explorer.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe 3512 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5108 SearchUI.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 4704 wrote to memory of 212 4704 Expensive 3.1.exe 73 PID 4704 wrote to memory of 212 4704 Expensive 3.1.exe 73 PID 212 wrote to memory of 4576 212 CMD.exe 75 PID 212 wrote to memory of 4576 212 CMD.exe 75 PID 4704 wrote to memory of 3156 4704 Expensive 3.1.exe 76 PID 4704 wrote to memory of 3156 4704 Expensive 3.1.exe 76 PID 3156 wrote to memory of 220 3156 CMD.exe 78 PID 3156 wrote to memory of 220 3156 CMD.exe 78 PID 4704 wrote to memory of 2060 4704 Expensive 3.1.exe 79 PID 4704 wrote to memory of 2060 4704 Expensive 3.1.exe 79 PID 2060 wrote to memory of 916 2060 CMD.exe 81 PID 2060 wrote to memory of 916 2060 CMD.exe 81 PID 4704 wrote to memory of 5068 4704 Expensive 3.1.exe 82 PID 4704 wrote to memory of 5068 4704 Expensive 3.1.exe 82 PID 5068 wrote to memory of 3336 5068 CMD.exe 84 PID 5068 wrote to memory of 3336 5068 CMD.exe 84 PID 4704 wrote to memory of 4728 4704 Expensive 3.1.exe 87 PID 4704 wrote to memory of 4728 4704 Expensive 3.1.exe 87 PID 4728 wrote to memory of 1808 4728 CMD.exe 89 PID 4728 wrote to memory of 1808 4728 CMD.exe 89 PID 4704 wrote to memory of 4528 4704 Expensive 3.1.exe 90 PID 4704 wrote to memory of 4528 4704 Expensive 3.1.exe 90 PID 4528 wrote to memory of 2400 4528 CMD.exe 92 PID 4528 wrote to memory of 2400 4528 CMD.exe 92 PID 4704 wrote to memory of 1680 4704 Expensive 3.1.exe 93 PID 4704 wrote to memory of 1680 4704 Expensive 3.1.exe 93 PID 1680 wrote to memory of 2856 1680 CMD.exe 95 PID 1680 wrote to memory of 2856 1680 CMD.exe 95 PID 4704 wrote to memory of 3756 4704 Expensive 3.1.exe 96 PID 4704 wrote to memory of 3756 4704 Expensive 3.1.exe 96 PID 3756 wrote to memory of 4948 3756 CMD.exe 98 PID 3756 wrote to memory of 4948 3756 CMD.exe 98 PID 4704 wrote to memory of 4124 4704 Expensive 3.1.exe 99 PID 4704 wrote to memory of 4124 4704 Expensive 3.1.exe 99 PID 4124 wrote to memory of 608 4124 CMD.exe 101 PID 4124 wrote to memory of 608 4124 CMD.exe 101 PID 4704 wrote to memory of 4184 4704 Expensive 3.1.exe 102 PID 4704 wrote to memory of 4184 4704 Expensive 3.1.exe 102 PID 4184 wrote to memory of 164 4184 CMD.exe 104 PID 4184 wrote to memory of 164 4184 CMD.exe 104 PID 4704 wrote to memory of 3156 4704 Expensive 3.1.exe 105 PID 4704 wrote to memory of 3156 4704 Expensive 3.1.exe 105 PID 4704 wrote to memory of 652 4704 Expensive 3.1.exe 106 PID 4704 wrote to memory of 652 4704 Expensive 3.1.exe 106 PID 652 wrote to memory of 4680 652 CMD.exe 109 PID 652 wrote to memory of 4680 652 CMD.exe 109 PID 3156 wrote to memory of 5076 3156 cmd.exe 110 PID 3156 wrote to memory of 5076 3156 cmd.exe 110 PID 4704 wrote to memory of 3052 4704 Expensive 3.1.exe 111 PID 4704 wrote to memory of 3052 4704 Expensive 3.1.exe 111 PID 3052 wrote to memory of 2832 3052 cmd.exe 113 PID 3052 wrote to memory of 2832 3052 cmd.exe 113 PID 4704 wrote to memory of 1516 4704 Expensive 3.1.exe 114 PID 4704 wrote to memory of 1516 4704 Expensive 3.1.exe 114 PID 1516 wrote to memory of 3308 1516 cmd.exe 116 PID 1516 wrote to memory of 3308 1516 cmd.exe 116 PID 1516 wrote to memory of 3512 1516 cmd.exe 117 PID 1516 wrote to memory of 3512 1516 cmd.exe 117 PID 1516 wrote to memory of 4072 1516 cmd.exe 118 PID 1516 wrote to memory of 4072 1516 cmd.exe 118 PID 1516 wrote to memory of 1808 1516 cmd.exe 119 PID 1516 wrote to memory of 1808 1516 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4576
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:220
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdMicrosoft Project.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdMicrosoft Project.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:916
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3336
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:1808
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2400
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2856
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4948
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:608
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Discord" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\schtasks.exeschtASks /deLeTe /F /Tn "Discord"3⤵PID:5076
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C taskkill /im explorer.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Oracle VirtualBox" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\schtasks.exeschtASks /deLeTe /F /Tn "Oracle VirtualBox"3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFA2F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:3308
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3512
-
-
C:\Windows\system32\taskkill.exetaskkill /im xdwdMicrosoft SQL Server Management Studio.exe /f3⤵
- Kills process with taskkill
PID:4072
-
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1808
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5108
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292B
MD520ba2e08e27d0cdc75d90b0071c6feb8
SHA1f48fe333e8b1e4727fcc6d5b4a0e9e380be760a5
SHA256b45048c3906ab158feacab255842245014a6321865be2d55692e89d8ce6d517f
SHA5124e51b563eec7dcc4a21aa86b95850ed025abb0174ac044754db71d6da02847b8278a643cb748040d7cd84eb2e410ac99678268f5271c8a48e8e9b2e22c570c72
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6