Analysis
-
max time kernel
155s -
max time network
164s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
27-11-2024 02:53
General
-
Target
NovaLauncher_44dc2817f4e85757cc52784cd3521c67.msi
-
Size
7.1MB
-
MD5
44dc2817f4e85757cc52784cd3521c67
-
SHA1
41fc684fdb5331b3bc0a6a48f0903c530e3ff054
-
SHA256
4a0a4a787586fbc370a2721019013e158a88d5c5f78fd140c91b54af42103763
-
SHA512
66215cc9fb92c7ec5c9fdbe85df9a98bfb72cdfb48e8db51c4ea9bcbd22ff784d57313dea9a6a0a1ee98852d52bec455ad8983e15cab9cd163cbb136ed0f2d18
-
SSDEEP
196608:OdVx9BJKK09BYzW+ZUl4sK8bF/9NH5iPbPO:OdVx9s9BYzw4sK8bF/aTO
Malware Config
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://fumblingactor.cyou
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 4 TTPs
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Blocklisted process makes network request 4 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Loads dropped DLL 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NovaLauncher_44dc2817f4e85757cc52784cd3521c67.msi2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc612cc40,0x7fffc612cc4c,0x7fffc612cc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1760 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4420,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4360,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4416,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4292,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4708,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5240,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3748,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5484,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4332,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3364 /prefetch:83⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4676,i,12368335318510783579,11344784215532549248,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Downloads\Vanta\Vanta.exe"C:\Users\Admin\Downloads\Vanta\Vanta.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\Vanta\Vanta.exe"C:\Users\Admin\Downloads\Vanta\Vanta.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 14764⤵
- Program crash
-
-
-
-
C:\Users\Admin\Downloads\Vanta\Spoofer.exe"C:\Users\Admin\Downloads\Vanta\Spoofer.exe"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WindowsAutHost"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsAutHost"3⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 19C7A9917AE38FFCB90E34BD07549A65 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5260 -ip 52602⤵
-
-
C:\ProgramData\WindowsServices\WindowsAutHostC:\ProgramData\WindowsServices\WindowsAutHost1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Installer Packages
1Power Settings
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Installer Packages
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.4MB
MD53d72cccda140b72e690d89e56ec63dad
SHA1989e41a07021b5dd2f7350d3338513f31c83473f
SHA2563a435badc9097d180656f2d32c117e144a2b22e55da240416059795aa5241fe5
SHA512875b6bff1fab59d826530a9e0e6c107197847f49f9509a4c130c6d229f9de0b41e4a1f08fb7327102c08184e6f31c506c4ce22296a13643b10f72dc97a4c306d
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
9KB
MD522418136b0e57e78fb1f3f5cc73de4e7
SHA104b387ddf6ff2eef9b8ee378246cd9be2bd9e75d
SHA2568c86a797d98e46e2bc5d62748c41cbe5a401693ea5ee7c58860457ace40b50e0
SHA512ad5b398df574bfd9945610e6a4c4e3cd0cb200d635a2be5652054c3548280d54dafff99d00e6f4572451efaf3966ecb5e64e91fea68bfe5e075b62075271ba2d
-
Filesize
649B
MD52da253dac984a29cfcc90e462f1937aa
SHA1b527f7ea6d1b9fcf043581648394055a63990b79
SHA25695fdc3be1f985051d57d818c6cecb453048ee7d26f724c89e68037e8c461f3a9
SHA512da23fde7cd87cd7efcc78da0848e373247ab168a1ddcc81230f4f62190d9fcb806be412105d3c39b1b05b2efc4e910fda271ff9829ebd343f029113dd0ad7fbd
-
Filesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
Filesize
1KB
MD584aaf426c3367d74f2cdb0021d0d0462
SHA1c1110e741e38d44b4f20b76c4a66d5cec6ed7443
SHA256bbd73513022ac063d5a6eb8cfc5c69285218c68f7af381b941c7a90c08a69287
SHA512a8f01295a1e45e678a72a582d27a772803c8ed0d94b45149084d993b3f0a177b7090a08eacff4aedfcbd2960d63ac08969b9a92638ed9286239a13e313ee670c
-
Filesize
11KB
MD5bee17b96f9c1e6b90b88e73c2131854f
SHA1c6970e307c0e80f427b3cf821aa245a3a03a7c6b
SHA256906fa37e11b2f408012ba324a5d908e1378789c21e4950118b4825edcca1bb2c
SHA512ce6c4f0983faee25dd40a7dd5b953d2c0baf3ba1afc8368982776577e1aba98b40ff00e328fc0f8bfeeef6f64ba80152f1f5e9da5ad60381ee2d3ffc4877ffcc
-
Filesize
11KB
MD55cf1862f565d1fee8c6d8f97680222a2
SHA101ee1072d1d585828c936bcad1897acd36ae5b7b
SHA256d8ce3719bb2781cd10fd0d4fd2c5cc77ce49975529264ede98d9b2a9f778aaea
SHA5124bf0473eb58e35c89c1be32d090c4449848ba8e1f3d421e72160810acefc9b897f84b90833fcfab0d4873c3684f7139cb7d6f90933ed4c790ca98fc554f1d132
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5cd6e2a081d0c68569ff8cbb2272b6b50
SHA1707efcc3de794c36074412cff5ac132a2b30a1c9
SHA256598e0a222f99b547e12504a3c5d13537b5f8c71e6ff3315072f46c2f981bc6c1
SHA512cac983144c305bf5bebc2035b2a184cf7dd7a86281b63bfa7a06208f4b9819c7cb002be89bcfea1bdda8bdedb83e903c914dc10ecf664c9230562cf29de8f65d
-
Filesize
354B
MD52d4265fb825ae8d54c79c8c5e36bda06
SHA1037254101e68d0ac3ad747cc36bc7398ecd4cbfd
SHA2564d5667c7f109714789798bd123f8f0f51a6fa303100994e53fde3eff87bf4c34
SHA5128db24746e13eacfb68c3da289bb2933f346e7c539f577be24cd0c8f0ba8ee151f30ff5b87547389df1e0ff21607c7702ef70344e3d0087898800d36fbb30e255
-
Filesize
1KB
MD51d3b23a42b570a3c0081a001c3ff0774
SHA1a401395189ba01ef414c9f21788e929eb3f3639f
SHA25682f1263ffc22e484ed2d1839b949eb03e97473a6762a82a432d2232c6d73d3c1
SHA512dc8f68e01e7e133dceabbcb9ac7d447e64f123b181742626903286375ea3d7a6064289ed30b10b1437b8a9072d198182d20c0591ddf7bd8a364011d5965a82e1
-
Filesize
10KB
MD541bd3f098cd9a7ea893175cce25c57dd
SHA1262ac52609eaae98a30b8500a6b8646393e53f37
SHA25687f7e29fc3e15b2ada1efc1e3192ab393581df26e584463bb8b1d37d76f1c8e8
SHA5125eefaa7f1aabd6764692c71dec3f5003fa85c56b97f1859b90d234d294433b3da25f292b34bb230316b6c71414f3a2ff7addb53842e8f458e78b689309b01eb0
-
Filesize
9KB
MD5754bae5373bb76930accd2a040e6eb16
SHA1790d36b4477a8067fe4d2dcc9bbd0569cc1db22b
SHA2560bd925b440037de8d63a9b0eb14e297b21581abeae2e50603f73659d4ff34e9a
SHA512285776b1536e1435a150d96ed30f8a29d2f210f38ce007090d776043a8ef01d6d97e5b0fca1763f7323148b658aeb4c1155e21ab1db6651090a9fb3c4db3de97
-
Filesize
10KB
MD59a30b3703ff1000d959ccdb94af31e80
SHA110806b39011ea4903bd40680e2aee51a92d6a4fb
SHA25685d568417ae4cd6b0a0b0e5e41b1ac2b612f9429adcc3fb7e65480b9712b67ef
SHA512b7dd709e40e5013b8cca7a27be0d173af684aa7d5fd52f1f679890722666b22c46af0c849af0fbce78f8f14b1ece45091dbb21466e3ca0b7cb78f686dbde1ece
-
Filesize
10KB
MD5c78a979b900cfc1d5cd858a21cb5d9cf
SHA143d2884f390798062d66cda4c845c8511e9ed8d4
SHA256aaf34d320946de9f3a5d1983cfae3ee04f1c3d63c3ac238a6577a337514139ba
SHA5126ca4c12f61fee1ccdcf07dc9619b0988b4aa0c24dce23d82726be3b464da257fe78aacbca382a9c96b888e584015f5748bd59305342f9b29c38d1c0fd1823352
-
Filesize
9KB
MD5e056a2246f4785bfb125ba75ea7e5d3a
SHA1a11f9946ea6ccef7c4e0a7fd14c914fe15b2ff52
SHA2564a77ae5e7d038a9b065d539ca076ff28a54f958619d8e2e82faa808a4e44d034
SHA512c5f1d37d045a9733e37a3502478495dfafd34ac2f7b53e382cd5a6b3f1a21b311392601c062bad781269503dda0bf47bf072b428b07ebaf6c29a6385eda557f1
-
Filesize
10KB
MD5b4c0cfc66ab2183efc6436eeb9d21c63
SHA176daab3eecfe98202174be7a1b53196fd01f2814
SHA2567895632ffa256a171b61f0abe8d811ee71b268566079d6918110fb1ea2926163
SHA51284ce78d72fa62d71b35abcda7895ac68b405717645525b749e2b22197039ea5774f61ca7e6f7f5e8dc7af8c62b8fbad27a25c3ffd191adba38ffcd213b7674ab
-
Filesize
10KB
MD5eff47c05bec85424645eab117fc80044
SHA1e869d71a3565fb12a56e97627142bea55fcc16f4
SHA256d2759675db63b96541544ee6dfe49ff5fd93cc05218da2fe9226d1feab3311fc
SHA51279dafaf897b2fdab15b7e63d241b3b3ba4a83cfa3e89c4981024da7f6cdeac57a1fb24eea9af24862f5e289b76dc3670d5d0aa2d488b2a7599ef8425e1474aca
-
Filesize
10KB
MD5f7b13708453596ed4384d4202a6c773a
SHA1d0f346b5252494f2cebc6f6e953ba9026c021cdb
SHA2560406ce85f9fb58c04cf3a5682afdeda45268a4ddf3c8312e39f552b3557cba44
SHA512935df35410acff7d8d5d6e37e0928a0f67f6f624520c0897f6c5271c36147ef5f4127cf032439b80efdc672fb586e4738680804997d4287bfab19ad5dff24fe0
-
Filesize
10KB
MD5d07152e1711803bf3acf93b38b1afbc8
SHA1249efdc8c3f86f8c6bdb3a9c48a1e31c3d197cb1
SHA256c4cc80f6666d30d7e1cbb5bc56ed603d2e1c98672eae9f7b82873e466f87fd49
SHA5121e34aba4158a46bf1cc18650a9d4030c801af8d1d545870f12e336312b3bce0e5355cd64c44781a5bb51b1a895820f2d4a7e2f811b270ea8cface40722cae1ba
-
Filesize
10KB
MD56f36cf6e6930d639a08aab4fd10d2996
SHA13aa2bb421792130292b35f2c542e52371a85f8d7
SHA2560c449f20b520f86a76c589a1aebf60e9967b9ef798fb4c8c1494d0bdca462145
SHA512c6bf51ab112ee4143fff1bba438842d2c5e3f5cc6f5812beb9d28b9219143ea953be6a3bd276664d3d416abce6ba51449585830a74d43cb67c056838230fd839
-
Filesize
15KB
MD54b7af415f70c0c14b26556e586cc594e
SHA1890370dcec6b4f8818b38308efffc0780bacf6d5
SHA2562b5436b2b691cc28c74c609cca62be7ece3ad86923d4005a8251366db9c6e175
SHA512ac065f9df5c13d62b8d2300703f2d2f869fa4e3d5fb4980b7ca89e3fb5c9debcbcd28f6786a1aa17eea22fd1e02fca854e9b0baf2e1e65719a134f3cf8406e3b
-
Filesize
96B
MD5c8d4a3f4f67bc672c7e528308daa5d3d
SHA1f01ab013eed6e52cbca4a8a6754126dab872dc58
SHA256f79c01fe5150ce7835bf7e304238b15f5888d75530092eff63aa916bbfefdcb9
SHA512a853ea3f9aa551fa13f3c8f6956d420551eb05dc0f807d7464e959fba14082ef0435088d151326284f11580922598060dd772124e3e3aab2e1520138eeea776c
-
Filesize
234KB
MD5efc0d19daa4ff152c820a8da9fed5a83
SHA12a57e6aebb03d0ca97bb863ea9d24bb3abdadfae
SHA2567d440ff4c2a43cdf84b2fe1550305eb615a3cd5b1f89210a9dd27f6a062758f2
SHA5126709c1dfea7a3fcd1b2b651ed2f116e62ff567fac7079df5559e0a565df48bd36dbef126f0f88948090267ccdc1c3c2106d68cb20477a74c8cf76d1e9987b833
-
Filesize
234KB
MD5151393bab63a0c54f501cfb83b28930f
SHA13c2a53e468d037432add5cd426c6dfc03d43b58e
SHA256ccd93cd614d5d88bd20e92482c5c1c91769f4ea18b44ee531674cdeb03e1dd77
SHA512eff7bc35d23f1af399a9904d3d0b2276e4ed9d64cc8008204508c9c78a5cddd2d79b03cbd1eee6f91df83207f9cbed29eff230e9507ad06ffcc7446a2e3c408b
-
Filesize
234KB
MD545f74eb8ba9ace52f5cb3ef2617f5965
SHA1b12c2fdcdc0488cc6a527196e4e63a032acc1e6d
SHA25641c1902bcd31cc17e4bdcbfade7ea363934f3b118475360fec3208ab1050fa30
SHA5128e28e8107b2be628a36033d986a74bff93992c384c685582b2b3ca138e420403d5a26389e744f689c56aa258c9734ad9c9985439417350f226e837e3f8f8d511
-
Filesize
285KB
MD5b77a2a2768b9cc78a71bbffb9812b978
SHA1b70e27eb446fe1c3bc8ea03dabbee2739a782e04
SHA256f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0
SHA512a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
18.4MB
MD53c528cdbef7555576f78740a7a65c26c
SHA10293b662c5f40a8c2d3d8650fc65d26d0fe434cb
SHA256c8a6fe9304daaad33ab3fff22a337d25ba9cf7e913814d1fd116f807cfee227c
SHA512fea55cae4156110b8b85263f10472e62c0fb5c45150cb00f6fa7daa9bef318949652f1b0427c8b4e54c38e98f78b4f52af21f2004dffcca4f1c4b1ce0b0a57ea
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1KB
MD58ec9b858770ae71075f06a8ebc30210f
SHA1e54f2d1bb0b25b5c59c2eb26a55ac9a1d09a1d08
SHA2567c5a5eb9142e4cd3bbfbd9b9ed482c5a2471c3014f2449138783fe2b92f62339
SHA512abef1fb612996bb1c5d59f55b6163cc481c3f0cdb260946762d6829ee3ab4b4ee8829b511e0462b168ebac039d055440547804e560aec8699820a85cdadff553
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
144KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
28.8MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
716KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
372KB
-
Filesize
372KB