Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-10-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe
Resource
win10v2004-20241007-en
General
-
Target
01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe
-
Size
1.2MB
-
MD5
46feda17e80f3d49da421376b8ed69f0
-
SHA1
7f07a79d769261a5d51d5d74d878b2dc231eb6d2
-
SHA256
01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5
-
SHA512
d21cf60bfba3424895946180001e43e052ce028bb018950853205e0d6808a3c967de94bd23eb1b2a75440544404822a8569aab29cd776146965a8aacb7b77e6a
-
SSDEEP
12288:VNcWyda1DbJ0No0RJTTlTTJMtB6eSRV5txtIMzJTTlTTruAN6DbhQnNmWEOwoU8L:zcx4DEoSMKeYKMqnenNmWbjU8CcXjFg
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.252.232.158:7812
64.23.232.116:7812
vsvf
-
delay
1
-
install
true
-
install_file
Windows Security Health Service.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
159.65.24.61:7812
ApBO5aKkoFf776MU
-
Install_directory
%AppData%
-
install_file
Windows Defender Service.exe
-
telegram
https://api.telegram.org/bot7308504158:AAGvjg5ZWkkItSzfmQZs_qu73xKZ_gWVkJI/sendMessage?chat_id=6291749148
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b42-6.dat family_xworm behavioral2/memory/2436-41-0x00000000000A0000-0x00000000000B0000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000b000000023b9c-17.dat family_stormkitty behavioral2/memory/2412-85-0x0000000000370000-0x00000000003A0000-memory.dmp family_stormkitty -
resource yara_rule behavioral2/files/0x000a000000023b9f-46.dat VenomRAT behavioral2/memory/1544-77-0x0000000000A70000-0x0000000000A88000-memory.dmp VenomRAT -
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000b000000023b9c-17.dat family_asyncrat behavioral2/files/0x000a000000023b9f-46.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Windows Defender Service.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service.lnk Windows Defender Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service.lnk Windows Defender Service.exe -
Executes dropped EXE 10 IoCs
pid Process 2436 Windows Defender Service.exe 2412 svchost.exe 2584 crack.exe 5052 AdobeUpdate.exe 1544 Cracked.exe 2292 windows update.exe 2044 Flash USDT Sender.exe 1504 Windows Security Health Service.exe 3716 Windows Defender Service.exe 2052 Windows Defender Service.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" AdobeUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Service = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Service.exe" Windows Defender Service.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windows update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flash USDT Sender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3284 cmd.exe 872 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3476 timeout.exe 2052 timeout.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Flash USDT Sender.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Flash USDT Sender.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Flash USDT Sender.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Flash USDT Sender.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Flash USDT Sender.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Flash USDT Sender.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5096 schtasks.exe 4996 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5052 AdobeUpdate.exe 2436 Windows Defender Service.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1544 Cracked.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe 1504 Windows Security Health Service.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2436 Windows Defender Service.exe Token: SeDebugPrivilege 1544 Cracked.exe Token: SeDebugPrivilege 2412 svchost.exe Token: SeDebugPrivilege 1544 Cracked.exe Token: SeDebugPrivilege 2584 crack.exe Token: SeDebugPrivilege 1504 Windows Security Health Service.exe Token: SeDebugPrivilege 1504 Windows Security Health Service.exe Token: SeDebugPrivilege 3716 Windows Defender Service.exe Token: SeDebugPrivilege 2052 Windows Defender Service.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1504 Windows Security Health Service.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe 2044 Flash USDT Sender.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 828 wrote to memory of 2436 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 83 PID 828 wrote to memory of 2436 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 83 PID 828 wrote to memory of 2412 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 84 PID 828 wrote to memory of 2412 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 84 PID 828 wrote to memory of 2412 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 84 PID 828 wrote to memory of 5052 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 85 PID 828 wrote to memory of 5052 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 85 PID 828 wrote to memory of 2584 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 86 PID 828 wrote to memory of 2584 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 86 PID 828 wrote to memory of 2584 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 86 PID 828 wrote to memory of 1544 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 87 PID 828 wrote to memory of 1544 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 87 PID 828 wrote to memory of 2292 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 88 PID 828 wrote to memory of 2292 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 88 PID 828 wrote to memory of 2292 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 88 PID 828 wrote to memory of 2044 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 89 PID 828 wrote to memory of 2044 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 89 PID 828 wrote to memory of 2044 828 01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe 89 PID 1544 wrote to memory of 3284 1544 Cracked.exe 93 PID 1544 wrote to memory of 3284 1544 Cracked.exe 93 PID 1544 wrote to memory of 2696 1544 Cracked.exe 95 PID 1544 wrote to memory of 2696 1544 Cracked.exe 95 PID 2696 wrote to memory of 3476 2696 cmd.exe 97 PID 2696 wrote to memory of 3476 2696 cmd.exe 97 PID 3284 wrote to memory of 5096 3284 cmd.exe 98 PID 3284 wrote to memory of 5096 3284 cmd.exe 98 PID 2436 wrote to memory of 4996 2436 Windows Defender Service.exe 99 PID 2436 wrote to memory of 4996 2436 Windows Defender Service.exe 99 PID 2584 wrote to memory of 4636 2584 crack.exe 101 PID 2584 wrote to memory of 4636 2584 crack.exe 101 PID 2584 wrote to memory of 4636 2584 crack.exe 101 PID 4636 wrote to memory of 2052 4636 cmd.exe 104 PID 4636 wrote to memory of 2052 4636 cmd.exe 104 PID 4636 wrote to memory of 2052 4636 cmd.exe 104 PID 2696 wrote to memory of 1504 2696 cmd.exe 105 PID 2696 wrote to memory of 1504 2696 cmd.exe 105 PID 2412 wrote to memory of 3284 2412 svchost.exe 106 PID 2412 wrote to memory of 3284 2412 svchost.exe 106 PID 2412 wrote to memory of 3284 2412 svchost.exe 106 PID 3284 wrote to memory of 2808 3284 cmd.exe 108 PID 3284 wrote to memory of 2808 3284 cmd.exe 108 PID 3284 wrote to memory of 2808 3284 cmd.exe 108 PID 3284 wrote to memory of 872 3284 cmd.exe 109 PID 3284 wrote to memory of 872 3284 cmd.exe 109 PID 3284 wrote to memory of 872 3284 cmd.exe 109 PID 3284 wrote to memory of 752 3284 cmd.exe 110 PID 3284 wrote to memory of 752 3284 cmd.exe 110 PID 3284 wrote to memory of 752 3284 cmd.exe 110 PID 2412 wrote to memory of 1148 2412 svchost.exe 111 PID 2412 wrote to memory of 1148 2412 svchost.exe 111 PID 2412 wrote to memory of 1148 2412 svchost.exe 111 PID 1148 wrote to memory of 2780 1148 cmd.exe 113 PID 1148 wrote to memory of 2780 1148 cmd.exe 113 PID 1148 wrote to memory of 2780 1148 cmd.exe 113 PID 1148 wrote to memory of 416 1148 cmd.exe 114 PID 1148 wrote to memory of 416 1148 cmd.exe 114 PID 1148 wrote to memory of 416 1148 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe"C:\Users\Admin\AppData\Local\Temp\01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4996
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:872
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:416
-
-
-
-
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:5052
-
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB80.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2052
-
-
-
-
C:\Users\Admin\AppData\Roaming\Cracked.exe"C:\Users\Admin\AppData\Roaming\Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3476
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
-
-
C:\Users\Admin\AppData\Roaming\windows update.exe"C:\Users\Admin\AppData\Roaming\windows update.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292
-
-
C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\System\Process.txt
Filesize4KB
MD5788b86809ab0c41efe17a9b2451aed26
SHA1123c888f0284ddcbbd63c8824365ea2feed8afaf
SHA25644ea542ef337a361057987a4a8447032442a40564e41344f03d8ce66ffc0d240
SHA512e89a81b5feb95535b17bae4ca0489eb9ccec161c5ff56bedaaba2bd135634eba1ca032f8e77e2f53ebb83c6581520628e4b95d5143aa15d82b8905132da616ce
-
Filesize
5B
MD5c590b8e5b4f1a5fe839466462e187182
SHA18a03184de156315221b42fdc5d0bb85d64ac8e34
SHA2568287e6feff923479c7473e43108c91b4778e2675be98ae751b878e81e608302e
SHA512b1ee4f90204dca1a930b22b75433cf108871e9a55237cfbf612259dbac80617895cb6350ae2cff303d868ccbe80e357b1ed671eec4600d51bc95d0f29eb38728
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
175B
MD5083f43865a53772a504ad2c0e9be606c
SHA110efb2767a3175de28608cc21c73646bc69eb5bb
SHA2566ad2ee34e971a540cabc7ebe0b3a88f1fab6eb977ee11e267a10446555a21822
SHA5124c8e1b47c3d4b193573404323d6f0b59824d24e35e19a9c2d868dd3a31544acf1fa7d11344370c5115f6a25c5c9f563f54009efc6da29159aadff1d4ea8f1da0
-
Filesize
151B
MD5c5002fcbc1793be8db660c14fd4ee0fb
SHA1c96a4bcbc193525e1e6fef52c0eacd09b3c13361
SHA2568d299a7017b285b6fe1695bcfbe3264f847089a0024a33e96904ecd64b2302a3
SHA51246efb0aa7b3183efbd0d5fd24d346f86e79ac4d9f08d76ea3cba7969303482bc5dd915b8dd7afa5d63cc3602d456daea05926be200b8eea2ed70ba9320234a23
-
Filesize
10KB
MD5bb2f6ec73b6646fb1d674763a060b42b
SHA1dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d
SHA2560f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de
SHA5129df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8
-
Filesize
74KB
MD50dfa83a82f6418c73406d78296de61be
SHA1dd7eceef8a434c43e0751e180bf714e08771d336
SHA2568d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e
SHA5129a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4
-
Filesize
776KB
MD5ac7938b542469a1c5bb108fc046ac87b
SHA19571a4ab3359b982f0ab33b03e815df8c354b0f3
SHA2561efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292
SHA512a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
39KB
MD5d536d6af55d6fdd40603aa188302fea0
SHA1cafde0fdaec80e0adf0f8190c6653599de64e6d0
SHA256765f25e12378795aef83491f0aab228e0b20f1be973dd7aac44608fddb334bce
SHA512c1ecac71c9703dc06b8eef9f0ba2f3fbcec4fc053f99acd6a2d2a11fd723c631075625a7cb85c0565f660526ae8c1cfe9621b50858213e08e6f70722be56c180
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
170KB
MD596014694a042d8344b910bc47d79337b
SHA19d19ab2f110ae58f30965a5a3d608cbf51986edb
SHA2564950eb74909bd6e739e38e57d8c6465c76ef108d65cac9f130d3f5c6d2fe943f
SHA512fe308c42b3ad2c3d73a834399aa12ea23f336103389181dface80a81da8be1ffd9a950cac802dc8a806ad318eb90a6bb6021d1acd9206a07749f83f2bb6cd03d
-
Filesize
76KB
MD574eab303bc6b579831e076ccad9f29c6
SHA117d29c26066457aee794d2f365bcf4dc4a00ef40
SHA256533cfe737cd440c7f9a65d7b47c0f082886d50bcebff287f922a27f4d10f77f0
SHA5125352fafaf6fbcd7a72383ab300b2cef462e10eafc40033cf7e605bc14d47ebd0668b518d6d0a2700befa9521bfcfd11d971fe4153aaabefa4071f017a6cc72e2