Analysis
-
max time kernel
120s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 09:09
Behavioral task
behavioral1
Sample
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
Resource
win10v2004-20240802-en
General
-
Target
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
-
Size
5.5MB
-
MD5
bb03e8f97d4a17dedc001090c096ff60
-
SHA1
dfe5de118a5f8ef8fd38d8748b1f28a5c14f04df
-
SHA256
b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57
-
SHA512
d8fa1be73c86e03530a6b0bde7b95f0f4d62891af96d4fe905856ad6997121574ce5d9ab9c7bbc07b8245899667888028d45576f862e5593b61ac9e4dab37b9b
-
SSDEEP
98304:VTcW6I+2hiVK/Frlc328jTU5F4sb7nZ/BsfBi0XsPmVMqyPcWeY5X8:lcRI+2hGKBY2dF4sb7nRefB/8+mkfY5s
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1216442245281087579/WdcHykTG9s553QUy8I1Ile3cHRoWrt03OHQcBjEQwILw3YwXPawFgdx__0VddKqHYPd1
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1036 powershell.exe 1356 powershell.exe 1980 powershell.exe 2336 powershell.exe -
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHRAJGDI\ImagePath = "C:\\ProgramData\\nalfdgwigwyg\\lhhsgwktkatl.exe" services.exe -
Executes dropped EXE 4 IoCs
pid Process 1724 Insidious.exe 2984 Wubo.exe 2360 lhhsgwktkatl.exe 1556 lhhsgwktkatl.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe -
Loads dropped DLL 5 IoCs
pid Process 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 476 services.exe 476 services.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 11 raw.githubusercontent.com 14 raw.githubusercontent.com 15 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 10 raw.githubusercontent.com 13 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 12 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Power Settings 1 TTPs 12 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1232 powercfg.exe 276 powercfg.exe 968 powercfg.exe 1548 powercfg.exe 2204 powercfg.exe 2100 powercfg.exe 2252 powercfg.exe 2080 powercfg.exe 2288 powercfg.exe 740 powercfg.exe 2228 powercfg.exe 304 powercfg.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe lhhsgwktkatl.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe lhhsgwktkatl.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe Wubo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2984 set thread context of 1152 2984 Wubo.exe 56 PID 2360 set thread context of 988 2360 lhhsgwktkatl.exe 87 PID 2360 set thread context of 1372 2360 lhhsgwktkatl.exe 90 PID 2360 set thread context of 2604 2360 lhhsgwktkatl.exe 91 PID 1556 set thread context of 1120 1556 lhhsgwktkatl.exe 114 PID 1556 set thread context of 2656 1556 lhhsgwktkatl.exe 119 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 19 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1520 sc.exe 2876 sc.exe 2160 sc.exe 1848 sc.exe 2140 sc.exe 292 sc.exe 1540 sc.exe 1512 sc.exe 3012 sc.exe 1140 sc.exe 2032 sc.exe 2400 sc.exe 1840 sc.exe 1464 sc.exe 1040 sc.exe 2812 sc.exe 552 sc.exe 2720 sc.exe 2640 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs dialer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a053f8027415db01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT dialer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1724 Insidious.exe 1724 Insidious.exe 1724 Insidious.exe 1724 Insidious.exe 2984 Wubo.exe 1356 powershell.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 2984 Wubo.exe 2984 Wubo.exe 2984 Wubo.exe 1152 dialer.exe 1152 dialer.exe 2360 lhhsgwktkatl.exe 1152 dialer.exe 1152 dialer.exe 1980 powershell.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 1152 dialer.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 2360 lhhsgwktkatl.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe 988 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1724 Insidious.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeShutdownPrivilege 1232 powercfg.exe Token: SeDebugPrivilege 1152 dialer.exe Token: SeShutdownPrivilege 276 powercfg.exe Token: SeShutdownPrivilege 2100 powercfg.exe Token: SeShutdownPrivilege 968 powercfg.exe Token: SeAuditPrivilege 820 svchost.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 988 dialer.exe Token: SeShutdownPrivilege 740 powercfg.exe Token: SeShutdownPrivilege 2080 powercfg.exe Token: SeShutdownPrivilege 2252 powercfg.exe Token: SeShutdownPrivilege 2288 powercfg.exe Token: SeAuditPrivilege 820 svchost.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeAuditPrivilege 820 svchost.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeShutdownPrivilege 2228 powercfg.exe Token: SeDebugPrivilege 1120 dialer.exe Token: SeShutdownPrivilege 2204 powercfg.exe Token: SeShutdownPrivilege 304 powercfg.exe Token: SeShutdownPrivilege 1548 powercfg.exe Token: SeLockMemoryPrivilege 2656 dialer.exe Token: SeAssignPrimaryTokenPrivilege 820 svchost.exe Token: SeIncreaseQuotaPrivilege 820 svchost.exe Token: SeSecurityPrivilege 820 svchost.exe Token: SeTakeOwnershipPrivilege 820 svchost.exe Token: SeLoadDriverPrivilege 820 svchost.exe Token: SeSystemtimePrivilege 820 svchost.exe Token: SeBackupPrivilege 820 svchost.exe Token: SeRestorePrivilege 820 svchost.exe Token: SeShutdownPrivilege 820 svchost.exe Token: SeSystemEnvironmentPrivilege 820 svchost.exe Token: SeUndockPrivilege 820 svchost.exe Token: SeManageVolumePrivilege 820 svchost.exe Token: SeAssignPrimaryTokenPrivilege 820 svchost.exe Token: SeIncreaseQuotaPrivilege 820 svchost.exe Token: SeSecurityPrivilege 820 svchost.exe Token: SeTakeOwnershipPrivilege 820 svchost.exe Token: SeLoadDriverPrivilege 820 svchost.exe Token: SeSystemtimePrivilege 820 svchost.exe Token: SeBackupPrivilege 820 svchost.exe Token: SeRestorePrivilege 820 svchost.exe Token: SeShutdownPrivilege 820 svchost.exe Token: SeSystemEnvironmentPrivilege 820 svchost.exe Token: SeUndockPrivilege 820 svchost.exe Token: SeManageVolumePrivilege 820 svchost.exe Token: SeAssignPrimaryTokenPrivilege 820 svchost.exe Token: SeIncreaseQuotaPrivilege 820 svchost.exe Token: SeSecurityPrivilege 820 svchost.exe Token: SeTakeOwnershipPrivilege 820 svchost.exe Token: SeLoadDriverPrivilege 820 svchost.exe Token: SeSystemtimePrivilege 820 svchost.exe Token: SeBackupPrivilege 820 svchost.exe Token: SeRestorePrivilege 820 svchost.exe Token: SeShutdownPrivilege 820 svchost.exe Token: SeSystemEnvironmentPrivilege 820 svchost.exe Token: SeUndockPrivilege 820 svchost.exe Token: SeManageVolumePrivilege 820 svchost.exe Token: SeAssignPrimaryTokenPrivilege 820 svchost.exe Token: SeIncreaseQuotaPrivilege 820 svchost.exe Token: SeSecurityPrivilege 820 svchost.exe Token: SeTakeOwnershipPrivilege 820 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1724 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 30 PID 2300 wrote to memory of 1724 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 30 PID 2300 wrote to memory of 1724 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 30 PID 2300 wrote to memory of 1724 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 30 PID 2300 wrote to memory of 2984 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 31 PID 2300 wrote to memory of 2984 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 31 PID 2300 wrote to memory of 2984 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 31 PID 2300 wrote to memory of 2984 2300 b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe 31 PID 628 wrote to memory of 2896 628 cmd.exe 41 PID 628 wrote to memory of 2896 628 cmd.exe 41 PID 628 wrote to memory of 2896 628 cmd.exe 41 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 2984 wrote to memory of 1152 2984 Wubo.exe 56 PID 1152 wrote to memory of 424 1152 dialer.exe 5 PID 1152 wrote to memory of 476 1152 dialer.exe 6 PID 1152 wrote to memory of 492 1152 dialer.exe 7 PID 1152 wrote to memory of 500 1152 dialer.exe 8 PID 1152 wrote to memory of 596 1152 dialer.exe 9 PID 1152 wrote to memory of 672 1152 dialer.exe 10 PID 1152 wrote to memory of 756 1152 dialer.exe 11 PID 1152 wrote to memory of 792 1152 dialer.exe 12 PID 1152 wrote to memory of 820 1152 dialer.exe 13 PID 1152 wrote to memory of 956 1152 dialer.exe 15 PID 1152 wrote to memory of 1020 1152 dialer.exe 16 PID 1152 wrote to memory of 316 1152 dialer.exe 17 PID 1152 wrote to memory of 1000 1152 dialer.exe 18 PID 1152 wrote to memory of 1244 1152 dialer.exe 19 PID 1152 wrote to memory of 1340 1152 dialer.exe 20 PID 1152 wrote to memory of 1396 1152 dialer.exe 21 PID 1152 wrote to memory of 1700 1152 dialer.exe 23 PID 1152 wrote to memory of 564 1152 dialer.exe 24 PID 1152 wrote to memory of 1188 1152 dialer.exe 25 PID 1152 wrote to memory of 2512 1152 dialer.exe 26 PID 1152 wrote to memory of 2540 1152 dialer.exe 27 PID 1152 wrote to memory of 2984 1152 dialer.exe 31 PID 1152 wrote to memory of 2232 1152 dialer.exe 32 PID 1152 wrote to memory of 1232 1152 dialer.exe 48 PID 1152 wrote to memory of 276 1152 dialer.exe 49 PID 1152 wrote to memory of 2100 1152 dialer.exe 50 PID 1152 wrote to memory of 968 1152 dialer.exe 51 PID 1152 wrote to memory of 1168 1152 dialer.exe 52 PID 1152 wrote to memory of 1648 1152 dialer.exe 53 PID 1152 wrote to memory of 1508 1152 dialer.exe 54 PID 1152 wrote to memory of 2220 1152 dialer.exe 55 PID 1152 wrote to memory of 2140 1152 dialer.exe 57 PID 1152 wrote to memory of 2040 1152 dialer.exe 58 PID 1152 wrote to memory of 1140 1152 dialer.exe 61 PID 1152 wrote to memory of 1464 1152 dialer.exe 62 PID 1152 wrote to memory of 808 1152 dialer.exe 63 PID 476 wrote to memory of 2360 476 services.exe 100 PID 476 wrote to memory of 2360 476 services.exe 100 PID 476 wrote to memory of 2360 476 services.exe 100 PID 1152 wrote to memory of 2360 1152 dialer.exe 100 PID 1152 wrote to memory of 2360 1152 dialer.exe 100 PID 1152 wrote to memory of 1980 1152 dialer.exe 66 PID 1152 wrote to memory of 2480 1152 dialer.exe 67 PID 844 wrote to memory of 2192 844 cmd.exe 73 PID 844 wrote to memory of 2192 844 cmd.exe 73 PID 844 wrote to memory of 2192 844 cmd.exe 73
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe3⤵PID:564
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:1188
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
PID:2232
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Indicator Removal: Clear Windows Event Logs
PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:792
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1340
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:956
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:1020
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:316
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1000
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1244
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:1700
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2512
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2540
-
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeC:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:2192
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:292
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2160
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:1040
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2640
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:1372
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe"C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1556 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:1228
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
- Drops file in Windows directory
PID:2916
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:2812
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:1540
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:552
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:2400
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\system32\dialer.exedialer.exe5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵PID:2604
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:492
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:500
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe"C:\Users\Admin\AppData\Local\Temp\b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\Wubo.exe"C:\Users\Admin\AppData\Local\Temp\Wubo.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
- Drops file in Windows directory
PID:2896
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2876
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1512
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3012
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1848
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:276
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QHRAJGDI"4⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"4⤵
- Launches sc.exe
PID:1840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:1140
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QHRAJGDI"4⤵
- Launches sc.exe
PID:1464
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1570450323258727314-15443257601778391959-1300631555-1388805083-12658505021171234592"1⤵PID:1168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9400579931885651341406501582012991258362302045877641304-1672118250-773726196"1⤵PID:1648
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-522021324-1940345535935568101-1591565827-1658622688-18539351-455313225-200462350"1⤵PID:1508
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5426935606342423371160707345-269932337-348493533624560473-252607252-354128486"1⤵PID:2220
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-112086606-1240579222325872177-3308115111969393853-241126641776054600653605188"1⤵PID:2040
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1196560038-10496399708290468-403338189-155590711618351166561111449081623205777"1⤵PID:808
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "179756739514492896663786526611406527907118289053089966621517372263921931679617"1⤵PID:2480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1266033870-1921969293-2302488331111029490181239521218179247321944522556354937877"1⤵PID:1936
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "15856675661636870774-40843576116030867101764910077-1029385602-11641417171259276676"1⤵PID:2884
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3367058251317712382314616356-437849463-386221319-1186369956611093617918230115"1⤵PID:2448
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-947528091-2001746626-1385135482329633264-146848182014103220323040334-2144454745"1⤵PID:1736
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2088882916854563208-316032878-587541055-538688876-1489407137-1595806271-808671095"1⤵PID:1624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-133970883017092785761298155539125221471617947022-1032005393-1356229259-1271592236"1⤵PID:1656
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2047863329-1337230810-939705755-1392268708-1318318427-79431710215894632057893156"1⤵PID:2360
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1344620939-545154909713314393-32656516618216367341657446314-1581774067520457589"1⤵PID:2332
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1827863452-5016927482864896751516915418450762484-101846905-1630069656376820142"1⤵PID:1972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2091827111-764773168-19371826541538895270-1004661312103646332-1560512631692657570"1⤵PID:1956
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17498961881456946710-1271407409174718541715846943-154265432811354160-1190033483"1⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD52598ab3884bdd09aefb26cb0e930b936
SHA18a7e4105fded7484ac643bb3ef5347e54ee2065e
SHA2569f2384217d21f19566c3def777d2eeed2242f0b552bb29d465f0e3af3f6f70e7
SHA5120abcc77daed183336127d6c6136fd1a1abf26e738e6b48dd4e87edaeea7ca55a3c4e617e38c6b383c461d478ee38bd0db58af12b53bc5733fc8cb1fe44e31228
-
Filesize
117B
MD512a6f41ce157d212b48e2b7c15f1aa1a
SHA1c2bcd0ec3ace14a89d05ce81fd8d6ce567c8f637
SHA256b3f040435ddcf7e3916ff7fadeebfd4831e0b433623b9cd8905ff709e1e4b21b
SHA512032501ec94d6e696e3af8ff07e24b19eeacc4000130f4762b76668ca7c0d97e8d14d7f67e3e1128aa85b47d949044994f69f3f3bd98b2112ad3d13909f06681c
-
Filesize
432B
MD503ac2095488695db60d2db58e6c8d9a8
SHA1f70af11342c7d20096a33aab9f7e7c6fa60be3bb
SHA2566204b8f249741db3d22be52a980cc5ed2102304307ec82a2df4580396e0ec30f
SHA5123df3623235f6161eb452af721053612697423ea69ff35c0eb9fa32248f40742452d9a1e6ec149f84ef73f47bf27f79aed41fde3e87e142bce1f7e5086682e0a2
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
5.2MB
MD5985c69365ae651836f74cc59c3fc8366
SHA1c731355d6a6cc7b46f6d816dba0e4542e47b6942
SHA2562856e69e2051ae44379a027b0789d25a553b42a543e1d58ec049e44f529543ed
SHA5126a7e94cf836cd2568644fa4c069a2bd01237464d7d0f8a42743bb2350d928c5922eb803dd37bb67c5acf7989e90f8db5e494662c9c32e83a0e6f3d1bcac73ead