cryptbot | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
600s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

cryptbot phorphiex zharkbot botnet credential_access discovery evasion execution loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

cryptbot

fivexc5sr.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3BiS1jaRpWtkqtfZGp9f1rXXts5DyUkaBX

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
dgh345rew
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral3/files/0x0003000000000707-121.dat	zharkcore

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syslyqdvr.exe

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral3/files/0x0002000000022b25-8.dat	family_phorphiex
behavioral3/files/0x000c0000000233d4-23.dat	family_phorphiex
behavioral3/files/0x000400000000073f-143.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syschvard.exe

ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3572	powershell.exe
440	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	syslyqdvr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	syschvard.exe

Executes dropped EXE 11 IoCs

pid	Process
2704	tt.exe
1920	sysmablsvr.exe
3016	newtpp.exe
5096	syslyqdvr.exe
4540	517032899.exe
1976	56156041.exe
5116	5_6190317556063017550.exe
1940	kitty.exe
2568	3245013623.exe
2704	syschvard.exe
2968	3305610878.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslyqdvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syschvard.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	tt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslyqdvr.exe"	newtpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syschvard.exe"	3245013623.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\sysmablsvr.exe	tt.exe
File opened for modification	C:\Windows\sysmablsvr.exe	tt.exe
File created	C:\Windows\syslyqdvr.exe	newtpp.exe
File opened for modification	C:\Windows\syslyqdvr.exe	newtpp.exe
File created	C:\Windows\syschvard.exe	3245013623.exe
File opened for modification	C:\Windows\syschvard.exe	3245013623.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3712	sc.exe
4776	sc.exe
1548	sc.exe
2488	sc.exe
2488	sc.exe
1580	sc.exe
4288	sc.exe
1616	sc.exe
3192	sc.exe
1572	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1936	1940	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syschvard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kitty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5_6190317556063017550.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3305610878.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3245013623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56156041.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	517032899.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syslyqdvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5_6190317556063017550.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5_6190317556063017550.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3572	powershell.exe
3572	powershell.exe
440	powershell.exe
440	powershell.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5096	syslyqdvr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	4363463463464363463463463.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2704	4928	4363463463464363463463463.exe	89
PID 4928 wrote to memory of 2704	4928	4363463463464363463463463.exe	89
PID 4928 wrote to memory of 2704	4928	4363463463464363463463463.exe	89
PID 2704 wrote to memory of 1920	2704	tt.exe	92
PID 2704 wrote to memory of 1920	2704	tt.exe	92
PID 2704 wrote to memory of 1920	2704	tt.exe	92
PID 4928 wrote to memory of 3016	4928	4363463463464363463463463.exe	97
PID 4928 wrote to memory of 3016	4928	4363463463464363463463463.exe	97
PID 4928 wrote to memory of 3016	4928	4363463463464363463463463.exe	97
PID 3016 wrote to memory of 5096	3016	newtpp.exe	98
PID 3016 wrote to memory of 5096	3016	newtpp.exe	98
PID 3016 wrote to memory of 5096	3016	newtpp.exe	98
PID 5096 wrote to memory of 2200	5096	syslyqdvr.exe	99
PID 5096 wrote to memory of 2200	5096	syslyqdvr.exe	99
PID 5096 wrote to memory of 2200	5096	syslyqdvr.exe	99
PID 5096 wrote to memory of 1516	5096	syslyqdvr.exe	101
PID 5096 wrote to memory of 1516	5096	syslyqdvr.exe	101
PID 5096 wrote to memory of 1516	5096	syslyqdvr.exe	101
PID 2200 wrote to memory of 3572	2200	cmd.exe	103
PID 2200 wrote to memory of 3572	2200	cmd.exe	103
PID 2200 wrote to memory of 3572	2200	cmd.exe	103
PID 1516 wrote to memory of 1548	1516	cmd.exe	104
PID 1516 wrote to memory of 1548	1516	cmd.exe	104
PID 1516 wrote to memory of 1548	1516	cmd.exe	104
PID 1516 wrote to memory of 2488	1516	cmd.exe	105
PID 1516 wrote to memory of 2488	1516	cmd.exe	105
PID 1516 wrote to memory of 2488	1516	cmd.exe	105
PID 1516 wrote to memory of 4288	1516	cmd.exe	106
PID 1516 wrote to memory of 4288	1516	cmd.exe	106
PID 1516 wrote to memory of 4288	1516	cmd.exe	106
PID 1516 wrote to memory of 1616	1516	cmd.exe	107
PID 1516 wrote to memory of 1616	1516	cmd.exe	107
PID 1516 wrote to memory of 1616	1516	cmd.exe	107
PID 1516 wrote to memory of 3192	1516	cmd.exe	108
PID 1516 wrote to memory of 3192	1516	cmd.exe	108
PID 1516 wrote to memory of 3192	1516	cmd.exe	108
PID 5096 wrote to memory of 4540	5096	syslyqdvr.exe	110
PID 5096 wrote to memory of 4540	5096	syslyqdvr.exe	110
PID 5096 wrote to memory of 4540	5096	syslyqdvr.exe	110
PID 1920 wrote to memory of 1976	1920	sysmablsvr.exe	111
PID 1920 wrote to memory of 1976	1920	sysmablsvr.exe	111
PID 1920 wrote to memory of 1976	1920	sysmablsvr.exe	111
PID 4928 wrote to memory of 5116	4928	4363463463464363463463463.exe	112
PID 4928 wrote to memory of 5116	4928	4363463463464363463463463.exe	112
PID 4928 wrote to memory of 5116	4928	4363463463464363463463463.exe	112
PID 4928 wrote to memory of 1940	4928	4363463463464363463463463.exe	113
PID 4928 wrote to memory of 1940	4928	4363463463464363463463463.exe	113
PID 4928 wrote to memory of 1940	4928	4363463463464363463463463.exe	113
PID 5096 wrote to memory of 2568	5096	syslyqdvr.exe	117
PID 5096 wrote to memory of 2568	5096	syslyqdvr.exe	117
PID 5096 wrote to memory of 2568	5096	syslyqdvr.exe	117
PID 2568 wrote to memory of 2704	2568	3245013623.exe	118
PID 2568 wrote to memory of 2704	2568	3245013623.exe	118
PID 2568 wrote to memory of 2704	2568	3245013623.exe	118
PID 2704 wrote to memory of 3932	2704	syschvard.exe	119
PID 2704 wrote to memory of 3932	2704	syschvard.exe	119
PID 2704 wrote to memory of 3932	2704	syschvard.exe	119
PID 2704 wrote to memory of 4868	2704	syschvard.exe	121
PID 2704 wrote to memory of 4868	2704	syschvard.exe	121
PID 2704 wrote to memory of 4868	2704	syschvard.exe	121
PID 3932 wrote to memory of 440	3932	cmd.exe	123
PID 3932 wrote to memory of 440	3932	cmd.exe	123
PID 3932 wrote to memory of 440	3932	cmd.exe	123
PID 4868 wrote to memory of 1572	4868	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\sysmablsvr.exe
    C:\Windows\sysmablsvr.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\56156041.exe
      C:\Users\Admin\AppData\Local\Temp\56156041.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1976
- C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\syslyqdvr.exe
    C:\Windows\syslyqdvr.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1548
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2488
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4288
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1616
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\517032899.exe
      C:\Users\Admin\AppData\Local\Temp\517032899.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\3245013623.exe
      C:\Users\Admin\AppData\Local\Temp\3245013623.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\syschvard.exe
        
        C:\Windows\syschvard.exe
        5⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\3305610878.exe
        
        C:\Users\Admin\AppData\Local\Temp\3305610878.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
- C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\Files\kitty.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kitty.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 488
    3⤵
    - Program crash
    PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cf6ff169cd238f189deca8ebc71592b9

SHA1
8f416c3f9020605327796d3637c66ba93552f0c0

SHA256
6ede8f25ad20147f853bebad6cb09e99ec2c04e983f97a19e2eadbee256f4718

SHA512
91ee42e7bb760f230f14892a83eb1ef13fafa3d4925b0d29c1e82be4f99247be9b960d1a42fc85f0b5757874e66a7654efd9656d4bb967576857bc575512b248

Download Submit
C:\Users\Admin\AppData\Local\Temp\3245013623.exe

Filesize
84KB

MD5
aa63b9c3f01d3d50c77b06c75dd63f88

SHA1
e67b74385a1d67ec57f5bb3a40184ee23b251eb4

SHA256
dcc51ea4252198d176b3249339675d2ea54759d1fb9aab487bc69f56f7ba2ac1

SHA512
0e0445f3158b9501d73d201a64556dfb3db7e513bd2fc32e6b5024d7641ace63679068abdc18a19346a1338a7007ee413ce7861ad09b8db5fb40eef5ec60fda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\517032899.exe

Filesize
8KB

MD5
7c5c1bbd7fb8e463263e94d555506ee3

SHA1
37363b9dbd3c58a4c3703f6263d8c9081e01eb0d

SHA256
cee5508c8c9fd3c480fedc5ac5c929ce613ba1ebefb261ee9e49cfc4178ea63a

SHA512
732bfc5f7ba3121841fa59d229fbeeb4048614a00228950f1e7c149e965d6bd32770dc865c77c5357ae0c43e91925f4d02b6af3e818915553d4b7626af12bd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\56156041.exe

Filesize
8KB

MD5
2b7c176fdb5c86fc5775992234c19891

SHA1
a63d1d54c77860ea549950d45889a3e8d96e69a6

SHA256
754a7e3428a18b46eae2f1fdd5e01501f2390afd2cd1207456a42db5e113ed73

SHA512
1346fe0af1abfa4b0ed404c3ac1174d97de2e4a7263a758f776a44e4a1811b87ec76777e21288aba128493b008d2b922706e4a0c0828139144f620dcb3983b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe

Filesize
2.7MB

MD5
eb89a69599c9d1dde409ac2b351d9a00

SHA1
a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c

SHA256
e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd

SHA512
e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kitty.exe

Filesize
319KB

MD5
0ec1f7cc17b6402cd2df150e0e5e92ca

SHA1
8405b9bf28accb6f1907fbe28d2536da4fba9fc9

SHA256
4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

SHA512
7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

Filesize
95KB

MD5
f9d5d8b4fbeffbffead34ea87da2d1c9

SHA1
d8db7444944e63a485cbb2f1acc86c01cc40150b

SHA256
dc69f2b947673cdb4775a4ae081e009f6a713a35000e43e5fa86d5eabe99a7e4

SHA512
38ddd39867a0d437e847c29469f3599c7c2f0ca61efebbfbae6d3898e130dd33e57ee2c036847ac0f9e3b1a3fd463d409f7ed3b3f6edeb8202cd10f705079723

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tt.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kiumj1fk.2gh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\tbtcmds.dat

Filesize
285B

MD5
af71fb92892fe37aa906f0d48e4f8b4d

SHA1
1feecb0f39cbe1f56e7d5ad7e324fdc2995c630b

SHA256
dd9defbb2742d48497b4bfa60d60164795a325c639e19472cd3a1d83b88a80cd

SHA512
e0940bc407b299111cb32166303accfd900fbf4e227965fa69c54f46315567e07c286b9d348dc2bbdd594b7fd56bf52e5d0c758a31bdd8bacb1afdecb81dbac7

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
e4bf16bc8991723e22a0fac5cd199bca

SHA1
f20551d18f95d5b9e4db0b36eda2f613b9fe8634

SHA256
1f5f1dd53bccaf509f2657a6b8eec4e774288248bd67fcd1690cb078cb4b9b1c

SHA512
431896a09f6574b5d75600b4b21f6c7d26e741dcf118410338f997b0019deff79115b7d0e8c3eaab5ed652abd897908d1483b6b8745795b2a4ebf7dabc68d469

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
a74f720fe1bb1d1baad8449241453df3

SHA1
a5229724ae3d96515a49af9986da2da6d7ea355b

SHA256
beaae81714a50e4a77e039c9565f6d84f94d1234265975fe9f5e1786392309af

SHA512
8393f2c0a0438b2252de8d1d3265340827113e5d0d70d3edea76a60d35c089d62bb4ae6a0613cbad26267bc40ef6e9de1768ee50a47a1e77d5cbc4d9bbea9a72

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
8f585cfd4bcb25d0c06778ef82f37804

SHA1
3e7f6d52f672a3f17d7da0d2f141fcb44d621b0a

SHA256
9fe63f3bb2d7a142c208fe8e9978b8cc2a7de22cf5256fd60581bb461614d1be

SHA512
057a5c7985a9ccab37258b5f49a7bfe814b82e4bcddef200ab1ee19e78bc61c173821059e0b410cb3cb44c2dd55adc72300ed8b2908da596d64eb8ad36d1532a

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
e2be529f9f2ab5b0f1c42789f42514df

SHA1
417d90a2dc407942b2a1df4726ddaa15bac3a016

SHA256
062836ccac74f2ebacf926c12e53845e7492152a6c5a810fd2106295ba061034

SHA512
cbf632911cc99960410d989cf4a01d7fc17db2237fd55075d1c70818c6f123ee011bce397012945b93fb2286a9fa46d0168b15ebfcb8eaa14e40d005264be652

Download Submit
memory/440-177-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

Filesize
80KB

Download
memory/440-162-0x0000000006510000-0x0000000006864000-memory.dmp

Filesize
3.3MB

Download
memory/440-164-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

Filesize
304KB

Download
memory/440-165-0x000000006F2F0000-0x000000006F33C000-memory.dmp

Filesize
304KB

Download
memory/440-175-0x0000000007950000-0x00000000079F3000-memory.dmp

Filesize
652KB

Download
memory/440-176-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/3572-36-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/3572-32-0x0000000002E90000-0x0000000002EC6000-memory.dmp

Filesize
216KB

Download
memory/3572-64-0x0000000007810000-0x000000000781A000-memory.dmp

Filesize
40KB

Download
memory/3572-65-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/3572-66-0x00000000079B0000-0x00000000079C1000-memory.dmp

Filesize
68KB

Download
memory/3572-67-0x00000000079E0000-0x00000000079EE000-memory.dmp

Filesize
56KB

Download
memory/3572-68-0x00000000079F0000-0x0000000007A04000-memory.dmp

Filesize
80KB

Download
memory/3572-69-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/3572-70-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/3572-62-0x0000000007E50000-0x00000000084CA000-memory.dmp

Filesize
6.5MB

Download
memory/3572-61-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/3572-60-0x0000000006A50000-0x0000000006A6E000-memory.dmp

Filesize
120KB

Download
memory/3572-50-0x000000006F4D0000-0x000000006F51C000-memory.dmp

Filesize
304KB

Download
memory/3572-49-0x0000000006A70000-0x0000000006AA2000-memory.dmp

Filesize
200KB

Download
memory/3572-48-0x00000000064B0000-0x00000000064FC000-memory.dmp

Filesize
304KB

Download
memory/3572-63-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/3572-47-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/3572-46-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/3572-33-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/3572-35-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/3572-34-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/4928-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4928-18-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4928-17-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4928-3-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4928-2-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/4928-1-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/5116-125-0x0000000000400000-0x0000000000C62000-memory.dmp

Filesize
8.4MB

Download
memory/5116-181-0x0000000000400000-0x0000000000C62000-memory.dmp

Filesize
8.4MB

Download
memory/5116-210-0x0000000000400000-0x0000000000C62000-memory.dmp

Filesize
8.4MB

Download
memory/5116-246-0x0000000000400000-0x0000000000C62000-memory.dmp

Filesize
8.4MB

Download