dee23e85d531e80655457b017752bb99378ba91819e5a85ccf9343a1094a1a4c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

77569c49188ab04b3ed8fef0dfbef2cf
SHA1

413db869e07385a42e1f9a1209822fa41ec8cf8a
SHA256

dee23e85d531e80655457b017752bb99378ba91819e5a85ccf9343a1094a1a4c
SHA512

ea2b7c6e94f0559f9d1ac48f797e4fe40849e531088cb4a145247d6ad9da9488f2ce1acf0f7384ecf7df8fb5165470919de75e12cd2bf554d47cde14853ffe2a
SSDEEP

1536:RGbJD/HBZbszKu9AZpd7r1jEwzGi1dD3DEgS:RGqzK4AZ3HCi1dn9

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 6 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1380 netsh.exe
3740 netsh.exe
3244 netsh.exe
4088 netsh.exe
1556 netsh.exe
4044 netsh.exe

pid	process
1380	netsh.exe
3740	netsh.exe
3244	netsh.exe
4088	netsh.exe
1556	netsh.exe
4044	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Server.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4644 svchost.exe

Drops startup file 6 IoCs

Processes:

svchost.exeServer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

svchost.exetmp39E7.tmp.batStUpdate.exetmpC34C.tmp.exetmp64AE.tmp.exeStUpdate.exe

pid process

4644 svchost.exe
32 tmp39E7.tmp.bat
1760 StUpdate.exe
2624 tmpC34C.tmp.exe
3320 tmp64AE.tmp.exe
4540 StUpdate.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Server.exe

description	ioc	process
File opened for modification	F:\autorun.inf	Server.exe
File created	C:\autorun.inf	Server.exe
File opened for modification	C:\autorun.inf	Server.exe
File created	F:\autorun.inf	Server.exe

Drops file in System32 directory 3 IoCs

Processes:

Server.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

Server.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Explower.exe	Server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	Server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exenetsh.exeschtasks.exenetsh.exeStUpdate.exetmpC34C.tmp.exeStUpdate.exenetsh.exenetsh.exesvchost.exenetsh.exetmp39E7.tmp.batServer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC34C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp39E7.tmp.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1336 schtasks.exe

pid	process
1336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Server.exe

pid	process
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe
876	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

4644 svchost.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

4700 msedge.exe
4700 msedge.exe
4700 msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Server.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	876	Server.exe
Token: SeDebugPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe
Token: 33	4644	svchost.exe
Token: SeIncBasePriorityPrivilege	4644	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

svchost.exemsedge.exe

pid	process
4644	svchost.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Server.exesvchost.exemsedge.exe

description	pid	process	target process
PID 876 wrote to memory of 1556	876	Server.exe	netsh.exe
PID 876 wrote to memory of 1556	876	Server.exe	netsh.exe
PID 876 wrote to memory of 1556	876	Server.exe	netsh.exe
PID 876 wrote to memory of 4044	876	Server.exe	netsh.exe
PID 876 wrote to memory of 4044	876	Server.exe	netsh.exe
PID 876 wrote to memory of 4044	876	Server.exe	netsh.exe
PID 876 wrote to memory of 1380	876	Server.exe	netsh.exe
PID 876 wrote to memory of 1380	876	Server.exe	netsh.exe
PID 876 wrote to memory of 1380	876	Server.exe	netsh.exe
PID 876 wrote to memory of 4644	876	Server.exe	svchost.exe
PID 876 wrote to memory of 4644	876	Server.exe	svchost.exe
PID 876 wrote to memory of 4644	876	Server.exe	svchost.exe
PID 4644 wrote to memory of 3740	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 3740	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 3740	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 4088	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 4088	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 4088	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 3244	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 3244	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 3244	4644	svchost.exe	netsh.exe
PID 4644 wrote to memory of 1336	4644	svchost.exe	schtasks.exe
PID 4644 wrote to memory of 1336	4644	svchost.exe	schtasks.exe
PID 4644 wrote to memory of 1336	4644	svchost.exe	schtasks.exe
PID 4644 wrote to memory of 32	4644	svchost.exe	tmp39E7.tmp.bat
PID 4644 wrote to memory of 32	4644	svchost.exe	tmp39E7.tmp.bat
PID 4644 wrote to memory of 32	4644	svchost.exe	tmp39E7.tmp.bat
PID 4644 wrote to memory of 2624	4644	svchost.exe	tmpC34C.tmp.exe
PID 4644 wrote to memory of 2624	4644	svchost.exe	tmpC34C.tmp.exe
PID 4644 wrote to memory of 2624	4644	svchost.exe	tmpC34C.tmp.exe
PID 4644 wrote to memory of 3320	4644	svchost.exe	tmp64AE.tmp.exe
PID 4644 wrote to memory of 3320	4644	svchost.exe	tmp64AE.tmp.exe
PID 4644 wrote to memory of 4700	4644	svchost.exe	msedge.exe
PID 4644 wrote to memory of 4700	4644	svchost.exe	msedge.exe
PID 4700 wrote to memory of 2132	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2132	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe
PID 4700 wrote to memory of 2380	4700	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4044
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1380
- C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3740
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4088
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\tmp39E7.tmp.bat
    "C:\Users\Admin\AppData\Local\Temp\tmp39E7.tmp.bat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:32
- - C:\Users\Admin\AppData\Local\Temp\tmpC34C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC34C.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\tmp64AE.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp64AE.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7fff2f2946f8,0x7fff2f294708,0x7fff2f294718
      4⤵
      PID:2132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12392849792503386722,6588547472216816705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:2380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,12392849792503386722,6588547472216816705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
      4⤵
      PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,12392849792503386722,6588547472216816705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
      4⤵
      PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12392849792503386722,6588547472216816705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
      4⤵
      PID:2396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12392849792503386722,6588547472216816705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:1716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12392849792503386722,6588547472216816705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
      4⤵
      PID:4244

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
637178cf2633902dcf5dc2f2842be5fe

SHA1
2c24f400239d8902c3e703bfe06cad265085df98

SHA256
aca761ddb00351b583dd7aa3e82884591d713e32bbecd9a92f3ede35bfb4e824

SHA512
b344a8822a6254351590dee39ca718bf1ea7db8fb5265edb522c8369a2249ded1f4eb87786d6b496d7934c332e4882128db12b75e410dd5bc44a04505acf348e

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
5389b11510f65424863e2e9724bd65e4

SHA1
071102005e3217b50283b71ee33858bb15606549

SHA256
fecb0cdb9664c0c83a84dff897fecff3773df1d4d5a6fc5c84e2187027315fa7

SHA512
ba78a6c2619bd7a4d4428a5b0b739e109dfa9ddb8925a005067f8b7091744bd9e16e007d32f62ae42768f3f45fb8aefe496f5a3ef617862127b53a88f86514ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39E7.tmp.bat

Filesize
100KB

MD5
6032ce8ceea46af873b78c1f323547da

SHA1
8c5bd4a70e0f21aeba41c07976ace2919b64fd80

SHA256
19dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7

SHA512
3ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64AE.tmp.exe

Filesize
61KB

MD5
f4407493019fe05f34b074539519ebc4

SHA1
b3f5ff69ff4fee493440c133f033a0d05a6edd43

SHA256
a5c1bdc7b8c0e456edac031568c8acca0524eeec7e91977d63c41c0a82c608c5

SHA512
24668bd17617e038544ed5cc92385cba01ec1b70725930457a5deb6f4ef1a079e3af8d7f592dad851fb1685387daaf47cc02a6c406042dc7ec1f406d2ab3bfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC34C.tmp.exe

Filesize
28KB

MD5
6c2210ba180f0e1b9d831c3c6c14c8b4

SHA1
00bebdf704f4cabf254583c6ad87c6e72872b61a

SHA256
501c36ac282029ccf7950a4957d4c10ea72fe18f0ad8d6daeabfe628fa4070a7

SHA512
26a63ad05199cf45acd7519fbc63945097b4c4a89bb2cdfa4f87ba004e1ce106220b0b99419e656de26d164265b3868a9ce541c71b05d4e4db1a9a1343130e9b

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
69cf10399d0d1350c3698099796624cb

SHA1
d0b58b76ff065f51172971853a7da414286d9ea7

SHA256
a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48

SHA512
5e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7

Download Submit
F:\Umbrella.flv.exe

Filesize
93KB

MD5
77569c49188ab04b3ed8fef0dfbef2cf

SHA1
413db869e07385a42e1f9a1209822fa41ec8cf8a

SHA256
dee23e85d531e80655457b017752bb99378ba91819e5a85ccf9343a1094a1a4c

SHA512
ea2b7c6e94f0559f9d1ac48f797e4fe40849e531088cb4a145247d6ad9da9488f2ce1acf0f7384ecf7df8fb5165470919de75e12cd2bf554d47cde14853ffe2a

Download Submit
\??\pipe\LOCAL\crashpad_4700_GABYBOBVMHWUIEOM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-92-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/32-89-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/32-93-0x0000000005090000-0x00000000050E6000-memory.dmp

Filesize
344KB

Download
memory/32-91-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/32-90-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/32-88-0x00000000006A0000-0x00000000006C0000-memory.dmp

Filesize
128KB

Download
memory/876-1-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/876-0-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/876-2-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/876-47-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2624-110-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/3320-123-0x000000001C150000-0x000000001C61E000-memory.dmp

Filesize
4.8MB

Download
memory/3320-126-0x000000001C840000-0x000000001C88C000-memory.dmp

Filesize
304KB

Download
memory/3320-125-0x0000000001520000-0x0000000001528000-memory.dmp

Filesize
32KB

Download
memory/3320-124-0x000000001C6C0000-0x000000001C75C000-memory.dmp

Filesize
624KB

Download
memory/3320-122-0x000000001BB80000-0x000000001BC26000-memory.dmp

Filesize
664KB

Download