orcus | 6e5aa4eae614ca049a1b2c8b803e6610b2b176a8e009ddad8df221c5899bb0ac

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
25/01/2025, 10:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

UZI.exe
Size

1.1MB
MD5

53438f13efec4841b7182bdcebc4410b
SHA1

9483c1614dbf6e133c92a1d355a017eff4eeed2b
SHA256

6e5aa4eae614ca049a1b2c8b803e6610b2b176a8e009ddad8df221c5899bb0ac
SHA512

363eb26746cc536a351f176d17205305ac84c18f151d608eb3f6543bed9db9e6d6104b90babde74d780873ef092bb2628493b5486f4521d0f9e8d26b5b33de8b
SSDEEP

24576:Fam4MROxnF4HrrcI0AilFEvxHPRZoo1jXbh:FOMiaHrrcI0AilFEvxHPjr

Score

10^/10

orcus defense_evasion rat spyware stealer

Malware Config

Extracted

Family

orcus

195.88.218.126:10134

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/4780-1-0x0000024068D20000-0x0000024068E3A000-memory.dmp	orcus
behavioral1/memory/4780-272-0x000002406B700000-0x000002406B7E8000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
4888	n3eeylod.ptu.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1AFC888A-91A0-4B6D-80BA-C3D20B0DF7C6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 25 Jan 2025 10:03:13 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1737799391"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4832	SCHTASKS.exe
340	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4780	UZI.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe
4888	n3eeylod.ptu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	UZI.exe
Token: SeDebugPrivilege	4888	n3eeylod.ptu.exe
Token: SeAssignPrimaryTokenPrivilege	2736	svchost.exe
Token: SeIncreaseQuotaPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	2736	svchost.exe
Token: SeTakeOwnershipPrivilege	2736	svchost.exe
Token: SeLoadDriverPrivilege	2736	svchost.exe
Token: SeSystemtimePrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe
Token: SeShutdownPrivilege	2736	svchost.exe
Token: SeSystemEnvironmentPrivilege	2736	svchost.exe
Token: SeUndockPrivilege	2736	svchost.exe
Token: SeManageVolumePrivilege	2736	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2736	svchost.exe
Token: SeIncreaseQuotaPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	2736	svchost.exe
Token: SeTakeOwnershipPrivilege	2736	svchost.exe
Token: SeLoadDriverPrivilege	2736	svchost.exe
Token: SeSystemtimePrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe
Token: SeShutdownPrivilege	2736	svchost.exe
Token: SeSystemEnvironmentPrivilege	2736	svchost.exe
Token: SeUndockPrivilege	2736	svchost.exe
Token: SeManageVolumePrivilege	2736	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2736	svchost.exe
Token: SeIncreaseQuotaPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	2736	svchost.exe
Token: SeTakeOwnershipPrivilege	2736	svchost.exe
Token: SeLoadDriverPrivilege	2736	svchost.exe
Token: SeSystemtimePrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe
Token: SeShutdownPrivilege	2736	svchost.exe
Token: SeSystemEnvironmentPrivilege	2736	svchost.exe
Token: SeUndockPrivilege	2736	svchost.exe
Token: SeManageVolumePrivilege	2736	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2736	svchost.exe
Token: SeIncreaseQuotaPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	2736	svchost.exe
Token: SeTakeOwnershipPrivilege	2736	svchost.exe
Token: SeLoadDriverPrivilege	2736	svchost.exe
Token: SeSystemtimePrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe
Token: SeShutdownPrivilege	2736	svchost.exe
Token: SeSystemEnvironmentPrivilege	2736	svchost.exe
Token: SeUndockPrivilege	2736	svchost.exe
Token: SeManageVolumePrivilege	2736	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2736	svchost.exe
Token: SeIncreaseQuotaPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	2736	svchost.exe
Token: SeTakeOwnershipPrivilege	2736	svchost.exe
Token: SeLoadDriverPrivilege	2736	svchost.exe
Token: SeSystemtimePrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe
Token: SeShutdownPrivilege	2736	svchost.exe
Token: SeSystemEnvironmentPrivilege	2736	svchost.exe
Token: SeUndockPrivilege	2736	svchost.exe
Token: SeManageVolumePrivilege	2736	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2736	svchost.exe
Token: SeIncreaseQuotaPrivilege	2736	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4888	4780	UZI.exe	77
PID 4780 wrote to memory of 4888	4780	UZI.exe	77
PID 4780 wrote to memory of 4832	4780	UZI.exe	78
PID 4780 wrote to memory of 4832	4780	UZI.exe	78
PID 4888 wrote to memory of 640	4888	n3eeylod.ptu.exe	5
PID 4888 wrote to memory of 696	4888	n3eeylod.ptu.exe	7
PID 4888 wrote to memory of 988	4888	n3eeylod.ptu.exe	12
PID 4888 wrote to memory of 468	4888	n3eeylod.ptu.exe	13
PID 4888 wrote to memory of 444	4888	n3eeylod.ptu.exe	14
PID 4888 wrote to memory of 908	4888	n3eeylod.ptu.exe	15
PID 4888 wrote to memory of 1060	4888	n3eeylod.ptu.exe	16
PID 4888 wrote to memory of 1072	4888	n3eeylod.ptu.exe	17
PID 4888 wrote to memory of 1144	4888	n3eeylod.ptu.exe	18
PID 4888 wrote to memory of 1196	4888	n3eeylod.ptu.exe	20
PID 4888 wrote to memory of 1304	4888	n3eeylod.ptu.exe	21
PID 4888 wrote to memory of 1316	4888	n3eeylod.ptu.exe	22
PID 4888 wrote to memory of 1364	4888	n3eeylod.ptu.exe	23
PID 4888 wrote to memory of 1448	4888	n3eeylod.ptu.exe	24
PID 4888 wrote to memory of 1552	4888	n3eeylod.ptu.exe	25
PID 4888 wrote to memory of 1624	4888	n3eeylod.ptu.exe	26
PID 4888 wrote to memory of 1636	4888	n3eeylod.ptu.exe	27
PID 4888 wrote to memory of 1688	4888	n3eeylod.ptu.exe	28
PID 4888 wrote to memory of 1720	4888	n3eeylod.ptu.exe	29
PID 4888 wrote to memory of 1776	4888	n3eeylod.ptu.exe	30
PID 4888 wrote to memory of 1840	4888	n3eeylod.ptu.exe	31
PID 4888 wrote to memory of 1860	4888	n3eeylod.ptu.exe	32
PID 4888 wrote to memory of 1912	4888	n3eeylod.ptu.exe	33
PID 4888 wrote to memory of 1920	4888	n3eeylod.ptu.exe	34
PID 4888 wrote to memory of 2004	4888	n3eeylod.ptu.exe	35
PID 4888 wrote to memory of 1832	4888	n3eeylod.ptu.exe	36
PID 4888 wrote to memory of 2060	4888	n3eeylod.ptu.exe	37
PID 4888 wrote to memory of 2204	4888	n3eeylod.ptu.exe	39
PID 4888 wrote to memory of 2392	4888	n3eeylod.ptu.exe	40
PID 4888 wrote to memory of 2532	4888	n3eeylod.ptu.exe	41
PID 4888 wrote to memory of 2540	4888	n3eeylod.ptu.exe	42
PID 4888 wrote to memory of 2576	4888	n3eeylod.ptu.exe	43
PID 4888 wrote to memory of 2672	4888	n3eeylod.ptu.exe	44
PID 4888 wrote to memory of 2680	4888	n3eeylod.ptu.exe	45
PID 4888 wrote to memory of 2724	4888	n3eeylod.ptu.exe	46
PID 4888 wrote to memory of 2736	4888	n3eeylod.ptu.exe	47
PID 4888 wrote to memory of 2764	4888	n3eeylod.ptu.exe	48
PID 4888 wrote to memory of 3008	4888	n3eeylod.ptu.exe	49
PID 4888 wrote to memory of 3064	4888	n3eeylod.ptu.exe	50
PID 4888 wrote to memory of 3096	4888	n3eeylod.ptu.exe	51
PID 4888 wrote to memory of 3224	4888	n3eeylod.ptu.exe	52
PID 4888 wrote to memory of 3392	4888	n3eeylod.ptu.exe	53
PID 4888 wrote to memory of 3436	4888	n3eeylod.ptu.exe	54
PID 4888 wrote to memory of 3792	4888	n3eeylod.ptu.exe	57
PID 4888 wrote to memory of 3872	4888	n3eeylod.ptu.exe	58
PID 4888 wrote to memory of 3940	4888	n3eeylod.ptu.exe	59
PID 4888 wrote to memory of 3964	4888	n3eeylod.ptu.exe	60
PID 4888 wrote to memory of 4292	4888	n3eeylod.ptu.exe	61
PID 4888 wrote to memory of 4352	4888	n3eeylod.ptu.exe	62
PID 4888 wrote to memory of 4220	4888	n3eeylod.ptu.exe	65
PID 4888 wrote to memory of 4992	4888	n3eeylod.ptu.exe	66
PID 4888 wrote to memory of 784	4888	n3eeylod.ptu.exe	68
PID 4888 wrote to memory of 2144	4888	n3eeylod.ptu.exe	69
PID 4888 wrote to memory of 4768	4888	n3eeylod.ptu.exe	70
PID 4888 wrote to memory of 1632	4888	n3eeylod.ptu.exe	71
PID 4888 wrote to memory of 1980	4888	n3eeylod.ptu.exe	72
PID 4888 wrote to memory of 4544	4888	n3eeylod.ptu.exe	73
PID 4888 wrote to memory of 2348	4888	n3eeylod.ptu.exe	74
PID 4888 wrote to memory of 4780	4888	n3eeylod.ptu.exe	76
PID 4780 wrote to memory of 340	4780	UZI.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:468

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1832

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2672

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3064

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3224
- C:\Users\Admin\AppData\Local\Temp\UZI.exe
  "C:\Users\Admin\AppData\Local\Temp\UZI.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\n3eeylod.ptu.exe
    "C:\Users\Admin\AppData\Local\Temp\n3eeylod.ptu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4888
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4832
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:784

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2144

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2348

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- NTFS ADS
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n3eeylod.ptu.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
memory/444-40-0x000001CFE41A0000-0x000001CFE41CB000-memory.dmp

Filesize
172KB

Download
memory/444-288-0x000001CFE41A0000-0x000001CFE41CB000-memory.dmp

Filesize
172KB

Download
memory/444-37-0x000001CFE41A0000-0x000001CFE41CB000-memory.dmp

Filesize
172KB

Download
memory/444-38-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/468-25-0x0000024178000000-0x000002417802B000-memory.dmp

Filesize
172KB

Download
memory/468-26-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/468-31-0x0000024178000000-0x000002417802B000-memory.dmp

Filesize
172KB

Download
memory/640-29-0x00007FF855C24000-0x00007FF855C25000-memory.dmp

Filesize
4KB

Download
memory/640-15-0x000001CF38C00000-0x000001CF38C25000-memory.dmp

Filesize
148KB

Download
memory/640-28-0x000001CF38C30000-0x000001CF38C5B000-memory.dmp

Filesize
172KB

Download
memory/640-17-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/640-16-0x000001CF38C30000-0x000001CF38C5B000-memory.dmp

Filesize
172KB

Download
memory/696-20-0x0000028ED4FD0000-0x0000028ED4FFB000-memory.dmp

Filesize
172KB

Download
memory/696-30-0x0000028ED4FD0000-0x0000028ED4FFB000-memory.dmp

Filesize
172KB

Download
memory/696-21-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/908-81-0x00000210EF590000-0x00000210EF5BB000-memory.dmp

Filesize
172KB

Download
memory/908-82-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/988-32-0x00000277BA4D0000-0x00000277BA4FB000-memory.dmp

Filesize
172KB

Download
memory/988-33-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/988-283-0x00000277BA4D0000-0x00000277BA4FB000-memory.dmp

Filesize
172KB

Download
memory/988-35-0x00000277BA4D0000-0x00000277BA4FB000-memory.dmp

Filesize
172KB

Download
memory/3224-77-0x0000000002E20000-0x0000000002E4B000-memory.dmp

Filesize
172KB

Download
memory/3224-78-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/4780-279-0x000002406C2F0000-0x000002406C308000-memory.dmp

Filesize
96KB

Download
memory/4780-278-0x000002406C2E0000-0x000002406C2F2000-memory.dmp

Filesize
72KB

Download
memory/4780-296-0x000002406B4F0000-0x000002406B500000-memory.dmp

Filesize
64KB

Download
memory/4780-0-0x00007FF834CF3000-0x00007FF834CF5000-memory.dmp

Filesize
8KB

Download
memory/4780-295-0x000002406E2D0000-0x000002406E492000-memory.dmp

Filesize
1.8MB

Download
memory/4780-294-0x000002406C740000-0x000002406C84A000-memory.dmp

Filesize
1.0MB

Download
memory/4780-272-0x000002406B700000-0x000002406B7E8000-memory.dmp

Filesize
928KB

Download
memory/4780-275-0x000002406B4F0000-0x000002406B500000-memory.dmp

Filesize
64KB

Download
memory/4780-293-0x000002406C5F0000-0x000002406C62C000-memory.dmp

Filesize
240KB

Download
memory/4780-276-0x000002406B7F0000-0x000002406B84C000-memory.dmp

Filesize
368KB

Download
memory/4780-277-0x000002406B4E0000-0x000002406B4EE000-memory.dmp

Filesize
56KB

Download
memory/4780-2-0x000002406AB20000-0x000002406AB4C000-memory.dmp

Filesize
176KB

Download
memory/4780-292-0x000002406C590000-0x000002406C5A2000-memory.dmp

Filesize
72KB

Download
memory/4780-280-0x000002406C2D0000-0x000002406C2E0000-memory.dmp

Filesize
64KB

Download
memory/4780-150-0x00007FF834CF3000-0x00007FF834CF5000-memory.dmp

Filesize
8KB

Download
memory/4780-1-0x0000024068D20000-0x0000024068E3A000-memory.dmp

Filesize
1.1MB

Download
memory/4888-12-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4888-274-0x00007FF855B80000-0x00007FF855D89000-memory.dmp

Filesize
2.0MB

Download
memory/4888-14-0x00007FF855B80000-0x00007FF855D89000-memory.dmp

Filesize
2.0MB

Download
memory/4888-13-0x00007FF855B81000-0x00007FF855CAA000-memory.dmp

Filesize
1.2MB

Download
memory/4888-11-0x00007FF855B80000-0x00007FF855D89000-memory.dmp

Filesize
2.0MB

Download