4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
148s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Size

1.9MB
MD5

0a63e063ab8eb5d26764d60214cc718e
SHA1

5fd444ff88f9cbe1f31109a1332de2958ad8428a
SHA256

508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e
SHA512

f06131120f27e8c9e8138c7cce521ece72ad3c7187c1866a05f743caa11c32c4f9927838599d129d82d583dd5f1af5a5eaa91a6cbedd10adbcfd6db7f3633e2a
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1356	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	1356	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5412	1356	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1356	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	1356	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1356	schtasks.exe	88

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1224	powershell.exe
3076	powershell.exe
3672	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 7 IoCs

pid	Process
1672	smss.exe
4052	smss.exe
3200	smss.exe
5812	smss.exe
4120	smss.exe
1592	smss.exe
2536	smss.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9BE4.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9BE5.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe
3416	schtasks.exe
5412	schtasks.exe
348	schtasks.exe
6064	schtasks.exe
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
1224	powershell.exe
1224	powershell.exe
3076	powershell.exe
3076	powershell.exe
1224	powershell.exe
3076	powershell.exe
1672	smss.exe
4052	smss.exe
3200	smss.exe
5812	smss.exe
4120	smss.exe
1592	smss.exe
2536	smss.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	1672	smss.exe
Token: SeDebugPrivilege	4052	smss.exe
Token: SeDebugPrivilege	3200	smss.exe
Token: SeDebugPrivilege	5812	smss.exe
Token: SeDebugPrivilege	4120	smss.exe
Token: SeDebugPrivilege	1592	smss.exe
Token: SeDebugPrivilege	2536	smss.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1224	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	97
PID 4200 wrote to memory of 1224	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	97
PID 4200 wrote to memory of 3076	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	98
PID 4200 wrote to memory of 3076	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	98
PID 4200 wrote to memory of 3672	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	99
PID 4200 wrote to memory of 3672	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	99
PID 4200 wrote to memory of 1672	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	103
PID 4200 wrote to memory of 1672	4200	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	103
PID 1672 wrote to memory of 4920	1672	smss.exe	105
PID 1672 wrote to memory of 4920	1672	smss.exe	105
PID 1672 wrote to memory of 4472	1672	smss.exe	106
PID 1672 wrote to memory of 4472	1672	smss.exe	106
PID 4920 wrote to memory of 4052	4920	WScript.exe	111
PID 4920 wrote to memory of 4052	4920	WScript.exe	111
PID 4052 wrote to memory of 4856	4052	smss.exe	113
PID 4052 wrote to memory of 4856	4052	smss.exe	113
PID 4052 wrote to memory of 5788	4052	smss.exe	114
PID 4052 wrote to memory of 5788	4052	smss.exe	114
PID 4856 wrote to memory of 3200	4856	WScript.exe	118
PID 4856 wrote to memory of 3200	4856	WScript.exe	118
PID 3200 wrote to memory of 2856	3200	smss.exe	119
PID 3200 wrote to memory of 2856	3200	smss.exe	119
PID 3200 wrote to memory of 3752	3200	smss.exe	120
PID 3200 wrote to memory of 3752	3200	smss.exe	120
PID 2856 wrote to memory of 5812	2856	WScript.exe	121
PID 2856 wrote to memory of 5812	2856	WScript.exe	121
PID 5812 wrote to memory of 3364	5812	smss.exe	122
PID 5812 wrote to memory of 3364	5812	smss.exe	122
PID 5812 wrote to memory of 5760	5812	smss.exe	123
PID 5812 wrote to memory of 5760	5812	smss.exe	123
PID 3364 wrote to memory of 4120	3364	WScript.exe	125
PID 3364 wrote to memory of 4120	3364	WScript.exe	125
PID 4120 wrote to memory of 3400	4120	smss.exe	126
PID 4120 wrote to memory of 3400	4120	smss.exe	126
PID 4120 wrote to memory of 2624	4120	smss.exe	127
PID 4120 wrote to memory of 2624	4120	smss.exe	127
PID 3400 wrote to memory of 1592	3400	WScript.exe	128
PID 3400 wrote to memory of 1592	3400	WScript.exe	128
PID 1592 wrote to memory of 4048	1592	smss.exe	129
PID 1592 wrote to memory of 4048	1592	smss.exe	129
PID 1592 wrote to memory of 5544	1592	smss.exe	130
PID 1592 wrote to memory of 5544	1592	smss.exe	130
PID 4048 wrote to memory of 2536	4048	WScript.exe	131
PID 4048 wrote to memory of 2536	4048	WScript.exe	131
PID 2536 wrote to memory of 3412	2536	smss.exe	132
PID 2536 wrote to memory of 3412	2536	smss.exe	132
PID 2536 wrote to memory of 4676	2536	smss.exe	133
PID 2536 wrote to memory of 4676	2536	smss.exe	133

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
"C:\Users\Admin\AppData\Local\Temp\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\3ac54ddf2ad44faa6035cf\smss.exe
  "C:\3ac54ddf2ad44faa6035cf\smss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38c8d5a1-5892-4a34-a4b0-e3c247fafe29.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\3ac54ddf2ad44faa6035cf\smss.exe
      C:\3ac54ddf2ad44faa6035cf\smss.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4052
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c6f07c8-cc3c-474b-bf42-ed98d4dae7bb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\3ac54ddf2ad44faa6035cf\smss.exe
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af9ae012-ea3e-4f74-b7cc-ca7588db9acf.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9701bae4-3f0c-431a-a051-b868283ca5ba.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d4258d-79f1-46d5-ae1b-d682b0726536.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f1d4018-d0a8-4904-84b8-8a4b1bc0ff0c.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        
        C:\3ac54ddf2ad44faa6035cf\smss.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f234e2fd-f070-4c1f-8849-da0ef7afd930.vbs"
        15⤵
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73577066-9eb6-4ced-b97f-614494154750.vbs"
        15⤵
        
        PID:4676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61adba62-a094-4c09-9bc5-07107814deeb.vbs"
        13⤵
        
        PID:5544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31ff6eb3-fc8a-4a30-9b75-25e880fea707.vbs"
        11⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9ed021-a22f-4349-b994-e58dc7605267.vbs"
        9⤵
        
        PID:5760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e856b11-6d3b-4346-9b16-a82ce6da997f.vbs"
        7⤵
        
        PID:3752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73da8cc3-5e4f-4223-8b8e-e2ffbb50bfb4.vbs"
        5⤵
        
        PID:5788
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c715bd2d-b2a2-426e-aa2b-cd2b01491835.vbs"
    3⤵
    PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\3ac54ddf2ad44faa6035cf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe

Filesize
1.9MB

MD5
0a63e063ab8eb5d26764d60214cc718e

SHA1
5fd444ff88f9cbe1f31109a1332de2958ad8428a

SHA256
508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e

SHA512
f06131120f27e8c9e8138c7cce521ece72ad3c7187c1866a05f743caa11c32c4f9927838599d129d82d583dd5f1af5a5eaa91a6cbedd10adbcfd6db7f3633e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
454c5c4b128d34aee2eb765f2a9c0aa9

SHA1
4b6e92db79d964f604fd6b261b3b19ede2aea8a5

SHA256
e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

SHA512
17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\07d4258d-79f1-46d5-ae1b-d682b0726536.vbs

Filesize
710B

MD5
d4a35a86d65ff9962e3aecc253367b79

SHA1
0a5ece775ffbee2cc26eb1cd4d18f367a892c7d7

SHA256
7d9cf7fe4e3ac16cb4180f265ce524b425d9f7180260bd14a2d52cfc5b295365

SHA512
88227793b309a70ea826447f5f7c59262a6f20384d0d96f470d972219ff11245893964fac117aa8720ecc07136b99f334a27583428d90fd704f47ae7b18c9f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\38c8d5a1-5892-4a34-a4b0-e3c247fafe29.vbs

Filesize
710B

MD5
7d4f067884c2cc29077820e0a0b77c57

SHA1
22fc523ec0d3ca623e1ee0ec5a1beca280cdf10f

SHA256
9952c1e6b1dc82167fc086273fe5cf0760fd5cb5f15502bbb36f4364f4b447fb

SHA512
8f40bc2f3624c1fb19dbb9fe6ac0a5b4525179a68ce1a9dac3d963dc71ffd5256f1c6e7058b2fafd4899c39c82632b4245224cdb35e0384800a91620c3a8d249

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c6f07c8-cc3c-474b-bf42-ed98d4dae7bb.vbs

Filesize
710B

MD5
10cae8fe4dc0d2811545f62300fbe03b

SHA1
757c8c57cc083b350a74ef3bdde15194c8f5eeaf

SHA256
90d286e0c3e958b315e8af2fe797fcc9c21bb95c9ad5e41140a66ed15f4f160d

SHA512
983cde8addcdf92b58c901658ba943d084387c86af87d32b8a8a063c93a855265606005dc4aeb6b2f645f645faeae1ceb2fce97e96795b95f1f7f78b8c521976

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f1d4018-d0a8-4904-84b8-8a4b1bc0ff0c.vbs

Filesize
710B

MD5
3be68f63654a24a725be0ff3b0de7eee

SHA1
12032128ff0aa65c79e0f83a965de07381a576ea

SHA256
a8c591e74ba9eb33002c32104b46d3d0c28c92514f15988f9bb68c7f5c4afd45

SHA512
d6c3432cbcd36f7886cc93d29de15a316e80f6d3322374008f741e9275b63671d491a0145ea37739fe135a079dfdba22c895753618e618f0363ef53dd87ce548

Download Submit
C:\Users\Admin\AppData\Local\Temp\9701bae4-3f0c-431a-a051-b868283ca5ba.vbs

Filesize
710B

MD5
c13082e74115a5f719db616d86760136

SHA1
0e77fbe3e343d1e95912ba5a4e0ce1aced1c46e3

SHA256
9ff092cd53556961a8f8064dc1f062c22efb963505f2e6a81b95f80b70571e6f

SHA512
8f0fa2da6cd238bdd2d4241a7b053232116d6d985e28d852932d991b95214d808cafba72640e68cb070592ded8375302196f652e3067481dd3a3a6cf52747aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n0botxjz.qvt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\af9ae012-ea3e-4f74-b7cc-ca7588db9acf.vbs

Filesize
710B

MD5
de580f88d7bdf0a852864e981c383eb3

SHA1
c543ddfc96152ce8b936a3ba412981686bed7a44

SHA256
244b426eacedbff32d6f791f488ba02c6cf6013dcdbb6fed55a4661d7ad45d32

SHA512
30ee48e25883034ca5066cfecf55d26817047339038058bf8a407a68859e7c2c92bd4ba02ca91e25db3b6b9c8d8af1bffbc47b9d5cf5844d596bf68944d4be2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c715bd2d-b2a2-426e-aa2b-cd2b01491835.vbs

Filesize
486B

MD5
7d086c6d79b4e7fa7b4e7c2ea1aa685a

SHA1
69097b8f887411471aa48014308ca25c926cb4cc

SHA256
3a7f7ea04d352dd810a533c9ff8f114487bcb36512623ae07cd7da0216cfce20

SHA512
0afb1482f75545a42a80dadac44a0244905a24f8919e9b674784d5c169b863c052a47487acd10de02eb72dbc46f9933b0a91a392a899dbb3d2f5101b30af3e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\f234e2fd-f070-4c1f-8849-da0ef7afd930.vbs

Filesize
710B

MD5
8479ab32845f954f30d2af8f1fbbf90c

SHA1
85fd388293dcbf32736e3c94b89a6ce11832c966

SHA256
eec23cc159219a035ff6b2beb98e22a86ba38907e72659a3c205ec4b91e3a49e

SHA512
1b6afd2b31f0e5fcc640e6c8db7ec12bd16f780abe012f79fd3d571fcd0d00a82336152baddb26baec769648e18c99e966a709b3754dd23f46099d588ce8ef39

Download Submit
memory/3672-113-0x0000018870780000-0x00000188707A2000-memory.dmp

Filesize
136KB

Download
memory/4200-8-0x000000001BCD0000-0x000000001BCDA000-memory.dmp

Filesize
40KB

Download
memory/4200-150-0x00007FF979D60000-0x00007FF97A821000-memory.dmp

Filesize
10.8MB

Download
memory/4200-18-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

Filesize
32KB

Download
memory/4200-17-0x000000001C5B0000-0x000000001C5BE000-memory.dmp

Filesize
56KB

Download
memory/4200-16-0x000000001C5A0000-0x000000001C5AA000-memory.dmp

Filesize
40KB

Download
memory/4200-15-0x000000001C3E0000-0x000000001C3EC000-memory.dmp

Filesize
48KB

Download
memory/4200-20-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/4200-14-0x000000001CEC0000-0x000000001D3E8000-memory.dmp

Filesize
5.2MB

Download
memory/4200-10-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/4200-13-0x000000001BD50000-0x000000001BD62000-memory.dmp

Filesize
72KB

Download
memory/4200-11-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

Filesize
32KB

Download
memory/4200-19-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/4200-9-0x000000001C390000-0x000000001C3E6000-memory.dmp

Filesize
344KB

Download
memory/4200-0-0x00007FF979D63000-0x00007FF979D65000-memory.dmp

Filesize
8KB

Download
memory/4200-7-0x000000001BCB0000-0x000000001BCC6000-memory.dmp

Filesize
88KB

Download
memory/4200-6-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/4200-5-0x0000000001940000-0x0000000001948000-memory.dmp

Filesize
32KB

Download
memory/4200-4-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/4200-3-0x0000000001960000-0x000000000197C000-memory.dmp

Filesize
112KB

Download
memory/4200-2-0x00007FF979D60000-0x00007FF97A821000-memory.dmp

Filesize
10.8MB

Download
memory/4200-1-0x0000000000F90000-0x000000000117A000-memory.dmp

Filesize
1.9MB

Download