ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733

Analysis

max time kernel
54s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
Size

3.0MB
MD5

ee3f168d7d032b8ccce800b8bd63214b
SHA1

46c7808867be5eab309eb53dcf735827d4f59d95
SHA256

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733
SHA512

e75ac3f0bafdc2d825fae6d50443a8efcfd8fd70816b81673aee6bc4f4fc39d563766586555874056883b4f1b0e55e99d2023152c8ddeedbf4897a353b2c56a1
SSDEEP

98304:pjlpHBlcfV6F0ozPrJKhZg+SWPzuNwOyoSe:pjlDlqsF90g+SWPWv

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

BrokerNet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\ChainwebbrokerHost\\BrokerNet.exe\""	BrokerNet.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2216	schtasks.exe

Detects executables packed with unregistered version of .NET Reactor 36 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/1704-38-0x0000000000550000-0x00000000006FA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-201-0x000000001B2B0000-0x000000001B480000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-203-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-223-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-235-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-249-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-261-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-265-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-263-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-259-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-257-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-255-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-253-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-251-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-245-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-243-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-241-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-239-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-237-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-233-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-231-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-229-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-227-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-226-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-219-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-217-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-215-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-213-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-247-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-221-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-211-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-209-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-207-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-205-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3592-202-0x000000001B2B0000-0x000000001B479000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ExpensiveLauncher.exeExpensiveLauncher.exeRuntimeBroker.exeExpensiveLauncher.exedllhost.exeef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exeExpensiveLauncher.exeExpensiveLauncher.exedllhost.exedllhost.exeExpensiveLauncher.exeRuntimeBroker.exeNursultan.exedllhost.exedllhost.exeExpensiveLauncher.exedllhost.exedllhost.exeWScript.exeBrokerNet.exeRuntimeBroker.exedllhost.exeExpensiveLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BrokerNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ExpensiveLauncher.exe

Executes dropped EXE 23 IoCs

Processes:

Nursultan.exeExpensiveLauncher.exeBrokerNet.exeRuntimeBroker.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeRuntimeBroker.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exeRuntimeBroker.exedllhost.exeRuntimeBroker.exe

pid	process
4276	Nursultan.exe
4076	ExpensiveLauncher.exe
1704	BrokerNet.exe
3748	RuntimeBroker.exe
2404	ExpensiveLauncher.exe
5008	dllhost.exe
2740	ExpensiveLauncher.exe
3476	dllhost.exe
412	ExpensiveLauncher.exe
4324	dllhost.exe
656	ExpensiveLauncher.exe
224	dllhost.exe
4304	ExpensiveLauncher.exe
2400	dllhost.exe
1640	RuntimeBroker.exe
1584	ExpensiveLauncher.exe
4548	dllhost.exe
2520	ExpensiveLauncher.exe
1992	dllhost.exe
2204	ExpensiveLauncher.exe
4212	RuntimeBroker.exe
4368	dllhost.exe
2152	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BrokerNet.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrokerNet = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChainwebbrokerHost\\BrokerNet.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrokerNet = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChainwebbrokerHost\\BrokerNet.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker.exe\""	BrokerNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker.exe\""	BrokerNet.exe

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
5 ip-api.com
11 ip-api.com
13 ip-api.com
14 ip-api.com
16 ip-api.com
Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description ioc process

File created \??\c:\Windows\System32\CSCB51BE5A873984E57AC20C99B5AFD61C4.TMP csc.exe
File created \??\c:\Windows\System32\cwwwvr.exe csc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	ip-api.com
5	ip-api.com
11	ip-api.com
13	ip-api.com
14	ip-api.com
16	ip-api.com

description	ioc	process
File created	\??\c:\Windows\System32\CSCB51BE5A873984E57AC20C99B5AFD61C4.TMP	csc.exe
File created	\??\c:\Windows\System32\cwwwvr.exe	csc.exe

Modifies registry class 13 IoCs

Processes:

Nursultan.exedllhost.exedllhost.exeRuntimeBroker.exeBrokerNet.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exedllhost.exeRuntimeBroker.exedllhost.exedllhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	Nursultan.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	BrokerNet.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	dllhost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

5484 PING.EXE
3212 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1640 schtasks.exe
836 schtasks.exe
1592 schtasks.exe
4640 schtasks.exe
3760 schtasks.exe
336 schtasks.exe

pid	process
5484	PING.EXE
3212	PING.EXE

pid	process
1640	schtasks.exe
836	schtasks.exe
1592	schtasks.exe
4640	schtasks.exe
3760	schtasks.exe
336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BrokerNet.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
1704	BrokerNet.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
3748	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe
1640	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exeExpensiveLauncher.exeBrokerNet.exeRuntimeBroker.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.exeRuntimeBroker.exeExpensiveLauncher.exeExpensiveLauncher.exeExpensiveLauncher.exeRuntimeBroker.exeExpensiveLauncher.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3400	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
Token: SeDebugPrivilege	4076	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1704	BrokerNet.exe
Token: SeDebugPrivilege	3748	RuntimeBroker.exe
Token: SeDebugPrivilege	2404	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2740	ExpensiveLauncher.exe
Token: SeDebugPrivilege	412	ExpensiveLauncher.exe
Token: SeDebugPrivilege	656	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1640	RuntimeBroker.exe
Token: SeDebugPrivilege	4304	ExpensiveLauncher.exe
Token: SeDebugPrivilege	1584	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2520	ExpensiveLauncher.exe
Token: SeDebugPrivilege	4212	RuntimeBroker.exe
Token: SeDebugPrivilege	2204	ExpensiveLauncher.exe
Token: SeDebugPrivilege	2152	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exeNursultan.exeWScript.execmd.exeBrokerNet.execsc.execmd.exeExpensiveLauncher.exeRuntimeBroker.exedllhost.execmd.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exedllhost.exeExpensiveLauncher.exe

description	pid	process	target process
PID 3400 wrote to memory of 4276	3400	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 3400 wrote to memory of 4276	3400	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 3400 wrote to memory of 4276	3400	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	Nursultan.exe
PID 3400 wrote to memory of 4076	3400	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	ExpensiveLauncher.exe
PID 3400 wrote to memory of 4076	3400	ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe	ExpensiveLauncher.exe
PID 4276 wrote to memory of 3936	4276	Nursultan.exe	WScript.exe
PID 4276 wrote to memory of 3936	4276	Nursultan.exe	WScript.exe
PID 4276 wrote to memory of 3936	4276	Nursultan.exe	WScript.exe
PID 3936 wrote to memory of 3452	3936	WScript.exe	cmd.exe
PID 3936 wrote to memory of 3452	3936	WScript.exe	cmd.exe
PID 3936 wrote to memory of 3452	3936	WScript.exe	cmd.exe
PID 3452 wrote to memory of 1704	3452	cmd.exe	BrokerNet.exe
PID 3452 wrote to memory of 1704	3452	cmd.exe	BrokerNet.exe
PID 1704 wrote to memory of 5104	1704	BrokerNet.exe	csc.exe
PID 1704 wrote to memory of 5104	1704	BrokerNet.exe	csc.exe
PID 5104 wrote to memory of 2428	5104	csc.exe	cvtres.exe
PID 5104 wrote to memory of 2428	5104	csc.exe	cvtres.exe
PID 1704 wrote to memory of 2960	1704	BrokerNet.exe	cmd.exe
PID 1704 wrote to memory of 2960	1704	BrokerNet.exe	cmd.exe
PID 2960 wrote to memory of 8	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 8	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 4148	2960	cmd.exe	w32tm.exe
PID 2960 wrote to memory of 4148	2960	cmd.exe	w32tm.exe
PID 2960 wrote to memory of 3748	2960	cmd.exe	RuntimeBroker.exe
PID 2960 wrote to memory of 3748	2960	cmd.exe	RuntimeBroker.exe
PID 4076 wrote to memory of 2404	4076	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 4076 wrote to memory of 2404	4076	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 4076 wrote to memory of 5008	4076	ExpensiveLauncher.exe	dllhost.exe
PID 4076 wrote to memory of 5008	4076	ExpensiveLauncher.exe	dllhost.exe
PID 4076 wrote to memory of 5008	4076	ExpensiveLauncher.exe	dllhost.exe
PID 3748 wrote to memory of 2236	3748	RuntimeBroker.exe	cmd.exe
PID 3748 wrote to memory of 2236	3748	RuntimeBroker.exe	cmd.exe
PID 5008 wrote to memory of 1880	5008	dllhost.exe	WScript.exe
PID 5008 wrote to memory of 1880	5008	dllhost.exe	WScript.exe
PID 5008 wrote to memory of 1880	5008	dllhost.exe	WScript.exe
PID 2236 wrote to memory of 2204	2236	cmd.exe	chcp.com
PID 2236 wrote to memory of 2204	2236	cmd.exe	chcp.com
PID 2236 wrote to memory of 3212	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3212	2236	cmd.exe	PING.EXE
PID 2404 wrote to memory of 2740	2404	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2404 wrote to memory of 2740	2404	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2404 wrote to memory of 3476	2404	ExpensiveLauncher.exe	dllhost.exe
PID 2404 wrote to memory of 3476	2404	ExpensiveLauncher.exe	dllhost.exe
PID 2404 wrote to memory of 3476	2404	ExpensiveLauncher.exe	dllhost.exe
PID 3476 wrote to memory of 3956	3476	dllhost.exe	WScript.exe
PID 3476 wrote to memory of 3956	3476	dllhost.exe	WScript.exe
PID 3476 wrote to memory of 3956	3476	dllhost.exe	WScript.exe
PID 2740 wrote to memory of 412	2740	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2740 wrote to memory of 412	2740	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 2740 wrote to memory of 4324	2740	ExpensiveLauncher.exe	dllhost.exe
PID 2740 wrote to memory of 4324	2740	ExpensiveLauncher.exe	dllhost.exe
PID 2740 wrote to memory of 4324	2740	ExpensiveLauncher.exe	dllhost.exe
PID 4324 wrote to memory of 5052	4324	dllhost.exe	WScript.exe
PID 4324 wrote to memory of 5052	4324	dllhost.exe	WScript.exe
PID 4324 wrote to memory of 5052	4324	dllhost.exe	WScript.exe
PID 412 wrote to memory of 656	412	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 412 wrote to memory of 656	412	ExpensiveLauncher.exe	ExpensiveLauncher.exe
PID 412 wrote to memory of 224	412	ExpensiveLauncher.exe	dllhost.exe
PID 412 wrote to memory of 224	412	ExpensiveLauncher.exe	dllhost.exe
PID 412 wrote to memory of 224	412	ExpensiveLauncher.exe	dllhost.exe
PID 224 wrote to memory of 396	224	dllhost.exe	WScript.exe
PID 224 wrote to memory of 396	224	dllhost.exe	WScript.exe
PID 224 wrote to memory of 396	224	dllhost.exe	WScript.exe
PID 656 wrote to memory of 4304	656	ExpensiveLauncher.exe	ExpensiveLauncher.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe
"C:\Users\Admin\AppData\Local\Temp\ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\gYZ4rUP2ZbhoMyNj3nrlLxq5R7jYF3gYX.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\zVePG0oR7GxsFrzVQOAnRVyOvcDN7woYPN55AHo3GILC8wcbBKG.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe
"C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost/BrokerNet.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zjkwkhva\zjkwkhva.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22B.tmp" "c:\Windows\System32\CSCB51BE5A873984E57AC20C99B5AFD61C4.TMP"
7⤵
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6nUq6wxLH.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:8

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4148

C:\Users\Admin\AppData\Local\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9LyY97a2AO.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:2204

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:3212

C:\Users\Admin\AppData\Local\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ujuZrulyBl.bat"
10⤵
PID:4088

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:3256

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:1548

C:\Users\Admin\AppData\Local\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat"
12⤵
PID:440

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:3248

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:4392

C:\Users\Admin\AppData\Local\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BFBBgjIbh8.bat"
14⤵
PID:2976

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:2688

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:5484

C:\Users\Admin\AppData\Local\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
15⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
11⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
12⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
13⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
14⤵
PID:7796

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
14⤵
PID:7228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
15⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
13⤵
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
14⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
15⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
12⤵
PID:656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
13⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
14⤵
PID:6248

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
15⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
11⤵
PID:3808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
12⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
13⤵
PID:6256

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
14⤵
PID:7100

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
11⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
12⤵
PID:3120

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
13⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
10⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
11⤵
PID:4372

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
12⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
9⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
10⤵
PID:5104

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
11⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
8⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
9⤵
PID:5036

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
10⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
7⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
8⤵
PID:2916

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
9⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
6⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
7⤵
PID:512

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
8⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
5⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
6⤵
PID:2168

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
7⤵
PID:432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDxkNu1Frt.bat"
8⤵
PID:6264

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe"
4⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgehyperintoref\s0CRYs.bat" "
5⤵
PID:2264

C:\bridgehyperintoref\containercomponentWinsession.exe
"C:\bridgehyperintoref/containercomponentWinsession.exe"
6⤵
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BrokerNetB" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BrokerNet" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BrokerNetB" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExpensiveLauncher.exe.log
Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
Filesize
1KB

MD5
11aa02596ceccef38b448c52a899f470

SHA1
6da94dc9579e969d39d5e65c066af3a5251e39b4

SHA256
e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd

SHA512
5de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9LyY97a2AO.bat
Filesize
174B

MD5
050aeaeac46572a110059101aad172d2

SHA1
3cbe8f0307b8600cd199f9b823ad69e8d29732b9

SHA256
8771ab6ab4da10fb2a095a3b11ce7d58b44f4349dbaa308ecaa5e384ab7a51cf

SHA512
6d1610af1d38caebcbe0edcad3fb4ff310f4aae6a05d609cbc9d00f9d0d22e5e74c63700f55e9d0251fb619653da7a5efe910bb5b5c5ebc9314593a560ac7398

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFBBgjIbh8.bat
Filesize
174B

MD5
e8d1bc89e636f7a79712132dce766bb3

SHA1
a9a1145a65ce9da39c42d4f54e3641e0029a6267

SHA256
3ae1531dfe7247b2ddc76411b3a7969f232b18d9026f165bebf5eceec1158a49

SHA512
87877fc8640e349ffa78df22d0472f0c696942c1b23c0de8b826b417c0df2961dcd37f18f48e7eeb858a0e657010df5a568d4ababa3a87a175724596f657f9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
Filesize
1.6MB

MD5
7e31f174306b2b48ece36a0d3428336e

SHA1
c533507974dedf73e651b5e0d8c224b1c8af7ccc

SHA256
dcc8e595c5aa29e8ba84d43d8775428b6f24e463544b54770107ec6181409236

SHA512
6baafa73dcce7ecef1fc32d31886df3dd6c766b8fcdd442971e297024f7252a318f195e968e2148131b54b2696d4f78514dc0ad2babb00b545c679b7e15eedd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
Filesize
1.5MB

MD5
f764cf674295a57ad7fa668a1736a8ec

SHA1
0b8af6669c4b26703773313c2537d261120e3a0f

SHA256
d1b7468729fe223bb9c6c8935b85e4bef13aa0e034837185fb7d79732fbf7433

SHA512
c10fd604b54319914bc745c17d3918dcb07636e93906436b1ed1075480bbda4f10242660801c838e779324b9523f7756c680de4dad2d96b17d82e6e40050f002

Download Submit
C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat
Filesize
222B

MD5
54b50fcce9a698c92f5ec45a569f0838

SHA1
42fca6ec7807ac447e53c93226e169a73ca1a8cc

SHA256
db784d1c6c82d4301582ab3d25bcbac343d4c173584bf1f4adc9b6179f7fa90d

SHA512
49ecb6f32885fca12d480d67fd4b347283ee8b6f745af644b839bab9f084994300c08158b0f55e53d03ed280971d16061c7df252a5b582e080b05da4a66f3b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA22B.tmp
Filesize
1KB

MD5
2a12185b32a9d57a24800ad80d46be24

SHA1
666e65f1a0be9649807cedf0b63699369b47c7a5

SHA256
0485852df8c3634e6c7097d7191afc6adb270a4e2dacd2d60a0403238463253e

SHA512
e723dd8f68a6d59c6628ad7f5d4545b65f86569ed0ad2d170d698e3b0c2597e14e9d23b343915ad5e14ac1cdd505abedf2423dafc56d029280c5b8188381b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe
Filesize
1.8MB

MD5
89ac03c00af06a3a6af77cc6d3efb90f

SHA1
21e58d891fc3a2cbb1d8e3873e3b8b44404bc044

SHA256
47c5daa5705213579570529232641cba391bb6bf2d4c38523d5ea6a596f15e12

SHA512
c4899c371aa855df5bb4f646fe624cea9ae0a8313784dde1b455f54f970c87bc07c9900cf3a98a15a32a50ae4ba7d95621e41f5ff31cc7493bad150d3546d6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6nUq6wxLH.bat
Filesize
222B

MD5
a7759c3cdf207a399ca50886ffbd152d

SHA1
f4132be7a14cc79bf24d93b93842d450455f809a

SHA256
04dab08f1697a5f00ce2e26d3630b02f23f06aa869f8d170910788f7e55b533e

SHA512
381f770d358da7334320137db4d5673448b1b0efa4d7480f9454f8bbefa9f37b4ee8401764f62d0ff529d0cbaadc7663c1773fbe77065456275b2010b0445560

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujuZrulyBl.bat
Filesize
222B

MD5
a1a3b29cf231f1f95863f606959bf1ff

SHA1
2c93385515277e1b9b314bf1aad53016315189c8

SHA256
1540dbab35fa5b790094fb70cb746008b0845e621eafb0d9bade87b8eaeafffc

SHA512
657b3bf00331c0a625b4a9b57a514a7815cdf832c24f32d552a549494aa012814fd0c9c3f0ea70f67b42bf47b7cc9edce0afc2e56470304e0c1e81051886c25d

Download Submit
C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\BrokerNet.exe
Filesize
1.6MB

MD5
dea574319381eb096140dd23a8125405

SHA1
9a5dc9d11617ec9fe821a799a272f044bcf12c0b

SHA256
63d827abee6c1f7704f58b9bf2afa6c414b52b704bb2698c9f5c74d08b418b0b

SHA512
b69d8eed06e3b018fc22b308353631978aa0bf31e0048b7b14f7f374ced6857f772cfd9df8ea057d2b297dc761155b1f6e748868ac3b7a253a4d23ac9338e322

Download Submit
C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\gYZ4rUP2ZbhoMyNj3nrlLxq5R7jYF3gYX.vbe
Filesize
254B

MD5
3a6c857270f1479ca63e27b5704e0e98

SHA1
066bbf1da6ffe36b282015a6482671ad3fab62db

SHA256
266759d52df9bad8b31787bd1c68a613437ebe66acbccf99c3f00a437d6bf190

SHA512
176a81b885a50347be30d1ad3effdc6981a34df72df4a44b6a77fa3abe817f243c5ee1f8343b9f119980f607a5d6ae8c0e1c8dc3e5787d9ce376df788863f636

Download Submit
C:\Users\Admin\AppData\Roaming\ChainwebbrokerHost\zVePG0oR7GxsFrzVQOAnRVyOvcDN7woYPN55AHo3GILC8wcbBKG.bat
Filesize
95B

MD5
78444b954218e281512655767a79a9d4

SHA1
928b23937e1278aa8312cf6bc42eb1e81e9d60c2

SHA256
3d79cdd944b481434beb2b41b0cd6f2fc9312fd59ce4fdad0356a32e1530edf5

SHA512
89193e0b911ccf219d6d3d1a56f504adc8264628d14a9cc72b539375a27ed5af64499602d8f9296cfe562af5e4f36182d0c7d4e30a9401b7ebe9f0be9588464e

Download Submit
C:\bridgehyperintoref\GZSBwXX6f3v7SDac33XiM3w8.vbe
Filesize
203B

MD5
8fdb05b80cb5e35641b747d91cce3170

SHA1
650d31e0b46c0c33b0d1688d85591392c66fa379

SHA256
a3839907cd1c1f9bcf807e9d63fdaf4365774b6f934a8e988f48d020248e987f

SHA512
db4dd9275fc9cc63e7a7c21f3914b901b16ba2e520581fc2562fd22ac6f93262f1305f99650ee0f3b0234b7c744a30dda3bd0a642705ddc8aca97dfb23f49191

Download Submit
C:\bridgehyperintoref\containercomponentWinsession.exe
Filesize
1.4MB

MD5
5bd9f36c577a19e117525a0054b00486

SHA1
f6c8e2234efdb1e9af35413e326dc3143dc14e59

SHA256
7c6aa6eae77e2371a257892151e07d7a96316087aae3c45aed0fe49ecfab0ff5

SHA512
fb91ff8eba24d28f5d644012c45879308fb90ff114274e9aeb1305aee60a9d386356dba471be9358822798afb21e1478a79d7cb66563206ac3b8c72f10e85639

Download Submit
C:\bridgehyperintoref\s0CRYs.bat
Filesize
112B

MD5
2abdf3942852851e59a786f6785137a0

SHA1
da856a32c0505e9315a9a7e250dbe735adfdbb1b

SHA256
4bd82dd25116b82653b6a443f09476e796c6e5b7bd101ed47983c1413f3405dc

SHA512
ae8cc651a4a179651e91ac65edaa854b9176767c13d20159edba8f9f9e187338018bf3c700c0d6e7a7c010ff09a9d0e58418d72b3a8c3470b8ad2323c40ee394

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zjkwkhva\zjkwkhva.0.cs
Filesize
378B

MD5
7f5c2b8b81b01bbdcf7e5e064da57ded

SHA1
b2f5633715f24e0b23984b0fa78af7f2557e3784

SHA256
88ecb0bd4592afb2d4d85f54fa019fd5197ce8360839c581f7735caaf0c502af

SHA512
4088720aa7aa37a49ec2246a858c4d6805aba376b38c6d8088c21cac893fe92a16f578a39c4dc2a029abe96371a280524c0d33b03ada9f660c9e76c65282cc56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zjkwkhva\zjkwkhva.cmdline
Filesize
235B

MD5
2dccb04d0be615ab993ff6c5263ec10e

SHA1
01dba69899e568b050a0931a486d3cf4c76f3cbd

SHA256
1fd83da6a392dddb4403af48edd3a0fc1718d617557f5c51f93227e4d58201d8

SHA512
0778ff0f67723000278b5b90fcc1b385d57039515aa418323b836204772b8286a8f479e6d0788ff021dfda586c30b75951a62e3cf462d592e791159a6ed0f7d6

Download Submit
\??\c:\Windows\System32\CSCB51BE5A873984E57AC20C99B5AFD61C4.TMP
Filesize
1KB

MD5
913b41bbe173c6878eae5b8d8b62f5b7

SHA1
386047df3df2b03e486bc87c4b7a3fee5f68ad73

SHA256
24e424d4d217bc9b5e76e0867e2715aabb09d7e49ab1e716eefb40d718e4f135

SHA512
c71d73ccf422818dce69b867726b04c54b6418b99d67227e7dc328c3c3df86f0235630feb91494f8102540aa94fce68674707db991222ce4c79934c17b9c0cc9

Download Submit
memory/432-8053-0x0000000002060000-0x000000000207C000-memory.dmp

Filesize
112KB

Download
memory/432-8664-0x0000000002080000-0x0000000002098000-memory.dmp

Filesize
96KB

Download
memory/432-8626-0x000000001AEC0000-0x000000001AF10000-memory.dmp

Filesize
320KB

Download
memory/1704-42-0x0000000001320000-0x000000000132C000-memory.dmp

Filesize
48KB

Download
memory/1704-40-0x0000000001310000-0x000000000131E000-memory.dmp

Filesize
56KB

Download
memory/1704-38-0x0000000000550000-0x00000000006FA000-memory.dmp

Filesize
1.7MB

Download
memory/3400-0-0x00007FF9D55F3000-0x00007FF9D55F5000-memory.dmp

Filesize
8KB

Download
memory/3400-22-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-2-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-1-0x0000000000610000-0x000000000091E000-memory.dmp

Filesize
3.1MB

Download
memory/3592-249-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-231-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-223-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-235-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-201-0x000000001B2B0000-0x000000001B480000-memory.dmp

Filesize
1.8MB

Download
memory/3592-261-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-265-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-263-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-259-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-257-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-255-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-253-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-251-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-245-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-243-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-241-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-239-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-237-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-233-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-203-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-229-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-227-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-226-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-219-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-217-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-215-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-213-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-247-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-221-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-211-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-209-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-207-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-205-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-202-0x000000001B2B0000-0x000000001B479000-memory.dmp

Filesize
1.8MB

Download
memory/3592-200-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/4076-78-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-24-0x0000000000C00000-0x0000000000DAA000-memory.dmp

Filesize
1.7MB

Download
memory/4076-23-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp

Filesize
10.8MB

Download