4cf3adf6ecaf8ec4005f6c29e806e68fac011f21c9c1920a4a3efa03e62151e6

Analysis

max time kernel
133s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe
Size

110KB
MD5

5a465bcb371fb929a0036e6273616d44
SHA1

33cc1535f7cece4fba12ab2834c370a892d27601
SHA256

894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667
SHA512

d4741154e5d3e9a1f6d94200d28f0d379ae3382a10848ab55a26be563e72a55d74c633e1a304501084bd9a1dc882e4b8ae216839a692c247d0006d7f4192e822
SSDEEP

1536:ErZ2Ycqg5o/iyOybKyzfF95ibIAvKJY2:ErgJqTaypKifF90Pg

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
1364	powershell.exe
2572	powershell.exe
2552	powershell.exe
3024	powershell.exe
2732	powershell.exe
1860	powershell.exe
2108	powershell.exe
1960	powershell.exe
2936	powershell.exe
2692	powershell.exe
1736	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2392	svchost64.exe
2520	explorer.exe
888	svchost64.exe
1476	sihost64.exe
2000	explorer.exe
2488	svchost64.exe

Loads dropped DLL 6 IoCs

pid	Process
1896	cmd.exe
2392	svchost64.exe
2448	cmd.exe
888	svchost64.exe
1476	sihost64.exe
2592	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File opened for modification	C:\Windows\system32\explorer.exe	sihost64.exe
File opened for modification	C:\Windows\system32\explorer.exe	svchost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\explorer.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	svchost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
484	schtasks.exe
1964	schtasks.exe
1844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2692	powershell.exe
2572	powershell.exe
2552	powershell.exe
3024	powershell.exe
2392	svchost64.exe
2732	powershell.exe
1860	powershell.exe
2108	powershell.exe
2332	powershell.exe
888	svchost64.exe
1960	powershell.exe
2936	powershell.exe
1736	powershell.exe
1364	powershell.exe
2488	svchost64.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2392	svchost64.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	888	svchost64.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2488	svchost64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2828	2112	894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe	31
PID 2112 wrote to memory of 2828	2112	894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe	31
PID 2112 wrote to memory of 2828	2112	894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe	31
PID 2828 wrote to memory of 2692	2828	cmd.exe	33
PID 2828 wrote to memory of 2692	2828	cmd.exe	33
PID 2828 wrote to memory of 2692	2828	cmd.exe	33
PID 2828 wrote to memory of 2572	2828	cmd.exe	34
PID 2828 wrote to memory of 2572	2828	cmd.exe	34
PID 2828 wrote to memory of 2572	2828	cmd.exe	34
PID 2828 wrote to memory of 2552	2828	cmd.exe	35
PID 2828 wrote to memory of 2552	2828	cmd.exe	35
PID 2828 wrote to memory of 2552	2828	cmd.exe	35
PID 2828 wrote to memory of 3024	2828	cmd.exe	36
PID 2828 wrote to memory of 3024	2828	cmd.exe	36
PID 2828 wrote to memory of 3024	2828	cmd.exe	36
PID 2112 wrote to memory of 1896	2112	894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe	37
PID 2112 wrote to memory of 1896	2112	894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe	37
PID 2112 wrote to memory of 1896	2112	894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe	37
PID 1896 wrote to memory of 2392	1896	cmd.exe	39
PID 1896 wrote to memory of 2392	1896	cmd.exe	39
PID 1896 wrote to memory of 2392	1896	cmd.exe	39
PID 2392 wrote to memory of 1448	2392	svchost64.exe	40
PID 2392 wrote to memory of 1448	2392	svchost64.exe	40
PID 2392 wrote to memory of 1448	2392	svchost64.exe	40
PID 1448 wrote to memory of 484	1448	cmd.exe	42
PID 1448 wrote to memory of 484	1448	cmd.exe	42
PID 1448 wrote to memory of 484	1448	cmd.exe	42
PID 2392 wrote to memory of 2520	2392	svchost64.exe	43
PID 2392 wrote to memory of 2520	2392	svchost64.exe	43
PID 2392 wrote to memory of 2520	2392	svchost64.exe	43
PID 2392 wrote to memory of 1636	2392	svchost64.exe	44
PID 2392 wrote to memory of 1636	2392	svchost64.exe	44
PID 2392 wrote to memory of 1636	2392	svchost64.exe	44
PID 2520 wrote to memory of 2144	2520	explorer.exe	46
PID 2520 wrote to memory of 2144	2520	explorer.exe	46
PID 2520 wrote to memory of 2144	2520	explorer.exe	46
PID 1636 wrote to memory of 2792	1636	cmd.exe	47
PID 1636 wrote to memory of 2792	1636	cmd.exe	47
PID 1636 wrote to memory of 2792	1636	cmd.exe	47
PID 2144 wrote to memory of 2732	2144	cmd.exe	49
PID 2144 wrote to memory of 2732	2144	cmd.exe	49
PID 2144 wrote to memory of 2732	2144	cmd.exe	49
PID 2144 wrote to memory of 1860	2144	cmd.exe	50
PID 2144 wrote to memory of 1860	2144	cmd.exe	50
PID 2144 wrote to memory of 1860	2144	cmd.exe	50
PID 2144 wrote to memory of 2108	2144	cmd.exe	51
PID 2144 wrote to memory of 2108	2144	cmd.exe	51
PID 2144 wrote to memory of 2108	2144	cmd.exe	51
PID 2144 wrote to memory of 2332	2144	cmd.exe	52
PID 2144 wrote to memory of 2332	2144	cmd.exe	52
PID 2144 wrote to memory of 2332	2144	cmd.exe	52
PID 2520 wrote to memory of 2448	2520	explorer.exe	53
PID 2520 wrote to memory of 2448	2520	explorer.exe	53
PID 2520 wrote to memory of 2448	2520	explorer.exe	53
PID 2448 wrote to memory of 888	2448	cmd.exe	55
PID 2448 wrote to memory of 888	2448	cmd.exe	55
PID 2448 wrote to memory of 888	2448	cmd.exe	55
PID 888 wrote to memory of 2356	888	svchost64.exe	56
PID 888 wrote to memory of 2356	888	svchost64.exe	56
PID 888 wrote to memory of 2356	888	svchost64.exe	56
PID 888 wrote to memory of 1476	888	svchost64.exe	58
PID 888 wrote to memory of 1476	888	svchost64.exe	58
PID 888 wrote to memory of 1476	888	svchost64.exe	58
PID 2356 wrote to memory of 1964	2356	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe
"C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
    C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:484
  - - C:\Windows\system32\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\explorer.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\explorer.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\system32\explorer.exe
        
        "C:\Windows\system32\explorer.exe"
        8⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        9⤵
        
        PID:328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\explorer.exe"
        9⤵
        Loads dropped DLL
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\explorer.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"' & exit
        11⤵
        
        PID:1980
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        11⤵
        
        PID:1648
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        7⤵
        
        PID:1120
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1973b1b85a526810026baeaa21c34b6a

SHA1
db6dca5ad393cf019dd94b8f36314ce2978377a1

SHA256
036dd5e677ba8cf1d19891db37ef2a1ca62f58e1f9f2a8df15b3f43b89f6f4bb

SHA512
ba3c5d20bfe37108bde42c1011d86e73aedde3f62aa7654a7ea18abdc89c32179eca9937fcd8d0f6d70615cd0a860a067079c40e55400398a8faa71edb1ca8ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6a4259747b7cdfb13e5aca7790e8309

SHA1
135f398daf08d79c900c19eee532c54a7f1463be

SHA256
0de0c6247df140959439b71089dcbc5d9b5877215cb88784d3e021a848d5e55e

SHA512
7b03192ee971d643fe5120eaad838e6284ec7655892a76da3f97db10255920c71f3616568f2b107d9a8937d4146217bd13555caf99a951d4c7ed47be2d1ccf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CD3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
37KB

MD5
cf1be8fb5eb18d4c40ae75f030bcc142

SHA1
5e5a9aebfb44fbd2a1f5812f967ced20eab6284b

SHA256
7229b66a64cecab58cec6acdd8c3d628ef6514ad7c29ec5c4f5f6b239e3c819d

SHA512
4a92ed6c1200070620e59e5311e79ed21058c2d60095777279082ff15e1a44b47740cd24bbc18434944bf4873204ce17c888d80a9fb5773fb06fde58ddba2deb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
354a660786458a76c49131ff586ae661

SHA1
8983d964952993129a514533cbf753cbf2be8924

SHA256
10a8423c2f49c62886198cb072c3be7ef9cdb77eb490b4ae5ebb36cb10940d31

SHA512
b5de3962cd0a0ca64a31556256ce0caa01321a2ab4f6ab0e14fbef50df0131c8c9652acf229af21f60d468c41c94995ef35d27717395d8b49af09f0b30aa980f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22f3a81d01028b2daff4503ccc2e3a5d

SHA1
73999437604df209358c337aa429b2f844a5706d

SHA256
f028b6afb3e00c9cc249e96e807552011c7dedb201ebb8dc27d04bd64e5b5077

SHA512
9c66510ad44064280ce62ae9937a38070eb068db05e6dde66b606b3a5930aad64e2d9455ff93e372d97db976bb688dba3b14db37db3acaa4913550a321bde15c

Download Submit
C:\Windows\system32\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
43edbf90c7d6083aac693cbe9ffdf9b5

SHA1
33b0a146c85d78351dbd9d648f0cf6c0a10e3949

SHA256
515e1acb721ef9d34314f5021eeaabacfb5b94e4b9585c217bb3789bf5744f56

SHA512
acbc53375278776e9ebb0bff8cc803552ade9dff5cb23601a15aea3477d325108e02efa0ec234ed776f88273691d5b4291b1dac4e8ba1894dda5151bfb157508

Download Submit
\Windows\System32\explorer.exe

Filesize
110KB

MD5
5a465bcb371fb929a0036e6273616d44

SHA1
33cc1535f7cece4fba12ab2834c370a892d27601

SHA256
894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667

SHA512
d4741154e5d3e9a1f6d94200d28f0d379ae3382a10848ab55a26be563e72a55d74c633e1a304501084bd9a1dc882e4b8ae216839a692c247d0006d7f4192e822

Download Submit
memory/888-77-0x000000013F580000-0x000000013F58E000-memory.dmp

Filesize
56KB

Download
memory/1476-84-0x000000013FF80000-0x000000013FF86000-memory.dmp

Filesize
24KB

Download
memory/2000-188-0x000000013F550000-0x000000013F570000-memory.dmp

Filesize
128KB

Download
memory/2112-34-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2112-6-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2112-35-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-37-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-1-0x000000013F710000-0x000000013F730000-memory.dmp

Filesize
128KB

Download
memory/2392-42-0x000000013FEB0000-0x000000013FEBE000-memory.dmp

Filesize
56KB

Download
memory/2488-216-0x000000013F1D0000-0x000000013F1DE000-memory.dmp

Filesize
56KB

Download
memory/2520-49-0x000000013F460000-0x000000013F480000-memory.dmp

Filesize
128KB

Download
memory/2572-21-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2572-22-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2692-14-0x000007FEF3170000-0x000007FEF3B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-11-0x000007FEF3170000-0x000007FEF3B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-12-0x000007FEF3170000-0x000007FEF3B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-9-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2692-10-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2692-7-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2692-13-0x000007FEF3170000-0x000007FEF3B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-8-0x000007FEF342E000-0x000007FEF342F000-memory.dmp

Filesize
4KB

Download
memory/2692-15-0x000007FEF3170000-0x000007FEF3B0D000-memory.dmp

Filesize
9.6MB

Download