ed2be8c7b8aa15f1e3bc399b9aaadbdbb16374e0be30d0200d4f39998f1f25a8

Resubmissions

25/07/2024, 14:37

240725-rzbyvatfmn 10

25/07/2024, 14:37

25/07/2024, 14:37

25/07/2024, 14:36

25/07/2024, 14:36

25/07/2024, 14:36

25/07/2024, 14:36

25/07/2024, 14:35

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan 3.0.exe
Size

347KB
MD5

3500fc8f168c23e6170117e6b779ed52
SHA1

0109abb6ff102e3b8f17bfac07f599d787af8663
SHA256

ed2be8c7b8aa15f1e3bc399b9aaadbdbb16374e0be30d0200d4f39998f1f25a8
SHA512

3d1e2600f1e2b077ab24ed017dee2313f14b34a7c193d8db19a93bb3cc6cd95b620b50c2ab300e958afbeea1fa1d133758664282f60b97b583d748baf056e85f
SSDEEP

6144:igpFNojFilyzigCEcL6hl9he6VlWT8b9G3T8JUKvDbwmb0h6XW:T8Ri4h3hPVle84AWcIeXW

Score

10^/10

credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdMicrosoft SQL Server Management Studio.exe"	Nursultan 3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe"	Nursultan 3.0.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\xdwdMicrosoft Project.exe"	Nursultan 3.0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Nursultan 3.0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2476	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1768	taskkill.exe
1952	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
2420	schtasks.exe
2076	schtasks.exe
1100	schtasks.exe
968	schtasks.exe
2824	schtasks.exe
588	schtasks.exe
2284	schtasks.exe
1820	schtasks.exe
2576	schtasks.exe
1520	schtasks.exe
1768	schtasks.exe
2216	schtasks.exe
1164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	schtasks.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
648	CMD.exe
2824	schtasks.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2452	CMD.exe
2220	Nursultan 3.0.exe
588	schtasks.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2280	WmiApSrv.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
2220	Nursultan 3.0.exe
1272	CMD.exe
2420	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
580	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	Nursultan 3.0.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe
Token: 33	2796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2796	AUDIODG.EXE
Token: 33	2796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2796	AUDIODG.EXE
Token: SeShutdownPrivilege	580	explorer.exe
Token: SeShutdownPrivilege	580	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2620	2220	Nursultan 3.0.exe	31
PID 2220 wrote to memory of 2620	2220	Nursultan 3.0.exe	31
PID 2220 wrote to memory of 2620	2220	Nursultan 3.0.exe	31
PID 2620 wrote to memory of 2576	2620	CMD.exe	33
PID 2620 wrote to memory of 2576	2620	CMD.exe	33
PID 2620 wrote to memory of 2576	2620	CMD.exe	33
PID 2220 wrote to memory of 2360	2220	Nursultan 3.0.exe	34
PID 2220 wrote to memory of 2360	2220	Nursultan 3.0.exe	34
PID 2220 wrote to memory of 2360	2220	Nursultan 3.0.exe	34
PID 2360 wrote to memory of 2140	2360	CMD.exe	36
PID 2360 wrote to memory of 2140	2360	CMD.exe	36
PID 2360 wrote to memory of 2140	2360	CMD.exe	36
PID 2220 wrote to memory of 2052	2220	Nursultan 3.0.exe	37
PID 2220 wrote to memory of 2052	2220	Nursultan 3.0.exe	37
PID 2220 wrote to memory of 2052	2220	Nursultan 3.0.exe	37
PID 2052 wrote to memory of 1520	2052	CMD.exe	39
PID 2052 wrote to memory of 1520	2052	CMD.exe	39
PID 2052 wrote to memory of 1520	2052	CMD.exe	39
PID 2220 wrote to memory of 648	2220	Nursultan 3.0.exe	40
PID 2220 wrote to memory of 648	2220	Nursultan 3.0.exe	40
PID 2220 wrote to memory of 648	2220	Nursultan 3.0.exe	40
PID 648 wrote to memory of 2824	648	CMD.exe	42
PID 648 wrote to memory of 2824	648	CMD.exe	42
PID 648 wrote to memory of 2824	648	CMD.exe	42
PID 2220 wrote to memory of 2452	2220	Nursultan 3.0.exe	43
PID 2220 wrote to memory of 2452	2220	Nursultan 3.0.exe	43
PID 2220 wrote to memory of 2452	2220	Nursultan 3.0.exe	43
PID 2452 wrote to memory of 588	2452	CMD.exe	45
PID 2452 wrote to memory of 588	2452	CMD.exe	45
PID 2452 wrote to memory of 588	2452	CMD.exe	45
PID 2220 wrote to memory of 1272	2220	Nursultan 3.0.exe	47
PID 2220 wrote to memory of 1272	2220	Nursultan 3.0.exe	47
PID 2220 wrote to memory of 1272	2220	Nursultan 3.0.exe	47
PID 1272 wrote to memory of 2420	1272	CMD.exe	49
PID 1272 wrote to memory of 2420	1272	CMD.exe	49
PID 1272 wrote to memory of 2420	1272	CMD.exe	49
PID 2220 wrote to memory of 2000	2220	Nursultan 3.0.exe	50
PID 2220 wrote to memory of 2000	2220	Nursultan 3.0.exe	50
PID 2220 wrote to memory of 2000	2220	Nursultan 3.0.exe	50
PID 2000 wrote to memory of 1768	2000	CMD.exe	52
PID 2000 wrote to memory of 1768	2000	CMD.exe	52
PID 2000 wrote to memory of 1768	2000	CMD.exe	52
PID 2220 wrote to memory of 2884	2220	Nursultan 3.0.exe	53
PID 2220 wrote to memory of 2884	2220	Nursultan 3.0.exe	53
PID 2220 wrote to memory of 2884	2220	Nursultan 3.0.exe	53
PID 2884 wrote to memory of 2284	2884	CMD.exe	55
PID 2884 wrote to memory of 2284	2884	CMD.exe	55
PID 2884 wrote to memory of 2284	2884	CMD.exe	55
PID 2220 wrote to memory of 672	2220	Nursultan 3.0.exe	56
PID 2220 wrote to memory of 672	2220	Nursultan 3.0.exe	56
PID 2220 wrote to memory of 672	2220	Nursultan 3.0.exe	56
PID 672 wrote to memory of 2216	672	CMD.exe	58
PID 672 wrote to memory of 2216	672	CMD.exe	58
PID 672 wrote to memory of 2216	672	CMD.exe	58
PID 2220 wrote to memory of 2640	2220	Nursultan 3.0.exe	59
PID 2220 wrote to memory of 2640	2220	Nursultan 3.0.exe	59
PID 2220 wrote to memory of 2640	2220	Nursultan 3.0.exe	59
PID 2640 wrote to memory of 2076	2640	CMD.exe	61
PID 2640 wrote to memory of 2076	2640	CMD.exe	61
PID 2640 wrote to memory of 2076	2640	CMD.exe	61
PID 2220 wrote to memory of 876	2220	Nursultan 3.0.exe	62
PID 2220 wrote to memory of 876	2220	Nursultan 3.0.exe	62
PID 2220 wrote to memory of 876	2220	Nursultan 3.0.exe	62
PID 876 wrote to memory of 1100	876	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 3.0.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2576
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2140
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdMicrosoft Project.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdMicrosoft Project.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1520
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:588
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2420
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1768
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2284
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2216
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2076
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1100
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1820
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2324
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1164
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:944
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Discord" & exit
  2⤵
  PID:1352
- - C:\Windows\system32\schtasks.exe
    schtASks /deLeTe /F /Tn "Discord"
    3⤵
    PID:2068
- C:\Windows\system32\CMD.exe
  "CMD" /C taskkill /im explorer.exe /f
  2⤵
  PID:1788
- - C:\Windows\system32\taskkill.exe
    taskkill /im explorer.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Oracle VirtualBox" & exit
  2⤵
  PID:376
- - C:\Windows\system32\schtasks.exe
    schtASks /deLeTe /F /Tn "Oracle VirtualBox"
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD02B.tmp.bat""
  2⤵
  PID:1652
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:2476
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:580
- - C:\Windows\system32\taskkill.exe
    taskkill /im xdwdMicrosoft SQL Server Management Studio.exe /f
    3⤵
    - Kills process with taskkill
    PID:1952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD02B.tmp.bat

Filesize
292B

MD5
800125b163ba17394a05db82b208c5fd

SHA1
0df073685cbb64d7d454f1ae3d9c5884a6f711e5

SHA256
0e7de7a56818071b334f06bd9cdd4779824d9cf206fbcfa13ee8f4ae003efabe

SHA512
a64f6c8105b2ed5cbb59a80e2ad54e739bccefd7b8d52c60d33355567e065e64e70a220652eb92c6612acc2710b5dde563eea3f65b2bc8a9897aa2808b39f5b4

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/588-93-0x000007FEF6FA0000-0x000007FEF6FC2000-memory.dmp

Filesize
136KB

Download
memory/648-66-0x000007FEF6F70000-0x000007FEF6F92000-memory.dmp

Filesize
136KB

Download
memory/672-228-0x000007FEF2620000-0x000007FEF2642000-memory.dmp

Filesize
136KB

Download
memory/876-294-0x000007FEF25A0000-0x000007FEF25C2000-memory.dmp

Filesize
136KB

Download
memory/944-390-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/968-389-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/1100-293-0x000007FEF25A0000-0x000007FEF25C2000-memory.dmp

Filesize
136KB

Download
memory/1164-357-0x000007FEF25A0000-0x000007FEF25C2000-memory.dmp

Filesize
136KB

Download
memory/1272-128-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/1520-53-0x000007FEF6FA0000-0x000007FEF6FC2000-memory.dmp

Filesize
136KB

Download
memory/1768-158-0x000007FEF2620000-0x000007FEF2642000-memory.dmp

Filesize
136KB

Download
memory/1820-326-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/2000-159-0x000007FEF2620000-0x000007FEF2642000-memory.dmp

Filesize
136KB

Download
memory/2076-260-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/2216-227-0x000007FEF2620000-0x000007FEF2642000-memory.dmp

Filesize
136KB

Download
memory/2220-0-0x000007FEF5273000-0x000007FEF5274000-memory.dmp

Filesize
4KB

Download
memory/2220-54-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-236-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-74-0x000007FEF5273000-0x000007FEF5274000-memory.dmp

Filesize
4KB

Download
memory/2220-266-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2220-1-0x0000000000E30000-0x0000000000E8C000-memory.dmp

Filesize
368KB

Download
memory/2220-425-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-107-0x000007FEF0EE0000-0x000007FEF0F02000-memory.dmp

Filesize
136KB

Download
memory/2284-190-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/2324-359-0x000007FEF25A0000-0x000007FEF25C2000-memory.dmp

Filesize
136KB

Download
memory/2420-126-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/2452-94-0x000007FEF6FA0000-0x000007FEF6FC2000-memory.dmp

Filesize
136KB

Download
memory/2640-261-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/2824-65-0x000007FEF6F70000-0x000007FEF6F92000-memory.dmp

Filesize
136KB

Download
memory/2884-192-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download
memory/2948-327-0x000007FEF5EC0000-0x000007FEF5EE2000-memory.dmp

Filesize
136KB

Download