72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Analysis

max time kernel
61s

Sharing

Copy URL

Twitter E-mail

General

Target

test.zip
Sample

190809-b9e7y9szpa
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Signatures

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 2 IoCs

description
C:\Program Files (x86)\SinTech\TextEdit.exe
C:\Program Files (x86)\SinTech\TextEdit.exe.config

Adds Run entry to start application 2 TTPs 1 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (CreateKeyEx)

Modifies Internet Explorer settings 1 TTPs 9 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\main (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Check_Associations = "no"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\NoProtectedModeBanner = "1"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown = "1"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown_TIMESTAMP = 8afe20f63237d401
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShown = "1"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShownTime = 0c8ab1fc3237d401
\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Recovery (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"

Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs

Process Injection

T1055

description	pid	Process
PID 1784 wrote to memory of 1824	1824	Process not Found
PID 1784 wrote to memory of 1980	1980	Process not Found
PID 1784 wrote to memory of 2576	2576	Process not Found
PID 1784 wrote to memory of 2072	2072	Process not Found

Executes dropped EXE 1 TTPs

Native API
T1106
Creates new service 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs

Process Injection

T1055

description	pid	Process
PID 1980 wrote to memory of 1560	1560	Process not Found
PID 1980 wrote to memory of 1760	1760	Process not Found
PID 1980 wrote to memory of 2036	2036	Process not Found
PID 1980 wrote to memory of 2512	2512	Process not Found

Launches SC.exe
Modifies Windows Firewall 1 TTPs

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\380-0\Microsoft.PowerShell.Commands.Utility.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp

Suspicious use of WriteProcessMemory 1 TTPs 3 IoCs

Process Injection

T1055

description	pid	Process
PID 1148 wrote to memory of 1648	1648	Process not Found
PID 1148 wrote to memory of 2164	2164	Process not Found
PID 1148 wrote to memory of 1632	1632	Process not Found

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Setup (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"

Modifies Internet Explorer settings 1 TTPs 59 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\BrowserEmulation (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Main (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\InternetRegistry (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IntelliForms (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Toolbar (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\PageSetup (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Zoom (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IETld\LowMic (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Recovery (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5790C0B3-BAB5-11E9-AEF7-561C0F0C6DF4} = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\SearchScopes (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 501e991ac24ed501
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = b07f9b1ac24ed501
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{2670000A-7350-4f3c-8081-5663EE0C6C49} = "8192"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId = "8193"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} = "8193"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId = "8194"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0 (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Path = "C:\\Users\\Admin\\Favorites\\Links\\Web Slice Gallery.url"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Handler = "{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName = "Web Slice Gallery"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask = "4"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState = "64"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Suggested Sites (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 90220b28c24ed501
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration (DeleteValueKey)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Suggested Sites\SlicePath = "C:\\Users\\Admin\\Favorites\\Links\\Suggested Sites.url"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4400000044000000640300009c020000
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Path = "C:\\Users\\Admin\\Favorites\\Links\\Suggested Sites.url"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1 (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Path = "C:\\Users\\Admin\\Favorites\\Links\\Web Slice Gallery.url"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Handler = "{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName = "Suggested Sites"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\DisplayName = "Web Slice Gallery"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\DisplayMask = "4"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\ErrorState = "64"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5790C0B3-BAB5-11E9-AEF7-561C0F0C6DF4} (DeleteValueKey)

Suspicious use of SetWindowsHookEx 1 TTPs

Drops file in system dir 5 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\840-0\Microsoft.PowerShell.ConsoleHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\840-0\Microsoft.PowerShell.ScheduledJob.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Suspicious use of SetWindowsHookEx 1 TTPs

Modifies Internet Explorer settings 1 TTPs 14 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Toolbar (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\InternetRegistry (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IntelliForms (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\PageSetup (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Zoom (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IETld\LowMic (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\AddToFavoritesInitialSelection (DeleteValueKey)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\AddToFeedsInitialSelection (DeleteValueKey)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IETld (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IETld\StaleIETldCache = "0"

Modifies service 2 TTPs 5 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI (CreateKeyEx)

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8ec-0\Microsoft.PowerShell.Core.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 5 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\974-0\Microsoft.PowerShell.Diagnostics.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\974-0\Microsoft.PowerShell.Security.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Modifies Windows Firewall 1 TTPs

Modifies service 2 TTPs 5 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs (CreateKeyEx)
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI (CreateKeyEx)

Malicious domain 2 IoCs

description
www.kitai.jp
rl.ammyy.com

Suspicious use of FindShellTrayWindow 1 TTPs

Process Injection
T1055
Executes dropped EXE 1 TTPs

Native API
T1106
Suspicious use of SetWindowsHookEx 1 TTPs
Suspicious use of NtSetInformationThreadHideFromDebugger 1 TTPs

Suspicious registry modification 15 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\EnableConsoleTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASAPI32\EnableFileTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASAPI32\EnableConsoleTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASAPI32\FileTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASAPI32\ConsoleTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASAPI32\MaxFileSize = "1048576"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASAPI32\FileDirectory = "%windir%\\tracing"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASMANCS\EnableFileTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASMANCS\EnableConsoleTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASMANCS\FileTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASMANCS\ConsoleTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASMANCS\MaxFileSize = "1048576"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\wlanspeed_RASMANCS\FileDirectory = "%windir%\\tracing"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000d0f8f61bc24ed501000000000000000000000000020000001700000000000000fe8000000000000020ed9405f5b7c9ea0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000a000015000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

HTTP(S) URI 1 TTPs 5 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\FeedUrl = "http://go.microsoft.com/fwlink/?LinkId=121315"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\FeedUrl = "https://ieonline.microsoft.com/#ieslice"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\FeedUrl = "http://go.microsoft.com/fwlink/?LinkId=121315"

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9f0-0\Microsoft.PowerShell.Editor.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\aac-0\Microsoft.PowerShell.GPowerShell.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp

Drops file in system dir 5 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b18-0\Microsoft.PowerShell.GraphicalHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b18-0\Microsoft.WSMan.Management.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 5 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b74-0\Microsoft.PowerShell.ISECommon.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b74-0\Microsoft.WSMan.Management.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Uses Task Scheduler COM API 1 TTPs

Query Registry
T1012
Executes dropped EXE 1 TTPs

Native API
T1106

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bc8-0\Microsoft.PowerShell.Management.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp

Suspicious use of SetWindowsHookEx 1 TTPs
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Modifies Internet Explorer settings 1 TTPs 12 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Toolbar (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\InternetRegistry (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IntelliForms (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\PageSetup (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\Zoom (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\IETld\LowMic (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\AddToFavoritesInitialSelection (DeleteValueKey)
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Internet Explorer\LowRegistry\AddToFeedsInitialSelection (DeleteValueKey)

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\97c-0\Microsoft.PowerShell.Security.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9bc-0\Microsoft.PowerShell.Utility.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a00-0\Microsoft.PowerShell.Workflow.ServiceCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ac0-0\Microsoft.Windows.DSC.CoreConfProviders.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp

Suspicious registry modification 16 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\EnableFileTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\EnableConsoleTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\FileTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\ConsoleTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\MaxFileSize = "1048576"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASAPI32\FileDirectory = "%windir%\\tracing"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\EnableFileTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\EnableConsoleTracing = "0"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\FileTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\ConsoleTracingMask = "4294901760"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\MaxFileSize = "1048576"
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RASMANCS\FileDirectory = "%windir%\\tracing"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000007000000090000000000000000000000000000000400000000000000d0f8f61bc24ed501000000000000000000000000020000001700000000000000fe8000000000000020ed9405f5b7c9ea0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000a000015000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\804-0\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\c80373093de278b947eba63c75e1dc5c\Microsoft.WSMan.Runtime.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
flawedammy family
family

Analysis

Sharing

General

Malware Config

Signatures

Processes