Analysis
-
max time kernel
148s -
resource
win10v191014 -
submitted
27-01-2020 17:35
Task
task1
Sample
444444.exe
Resource
win7v191014
0 signatures
General
-
Target
444444.exe
-
Sample
200127-ppe7zc98ka
-
SHA256
2ada31879ae7419da5f19095e6a086938475e97f8b022fe24bf25208778eb850
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
epuiq.exepid process 1784 epuiq.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\acrmfdwv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Gculfigzxcfe\\epuiq.exe\"" explorer.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
444444.exeepuiq.exeepuiq.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 444444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 444444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service epuiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc epuiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service epuiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 epuiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 epuiq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc epuiq.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet reg.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe = "0" reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
444444.exe444444.exeepuiq.exeepuiq.exeexplorer.exe444444.exeepuiq.exeepuiq.exepid process 4940 444444.exe 5084 444444.exe 1784 epuiq.exe 68 epuiq.exe 4500 explorer.exe 4824 444444.exe 2056 epuiq.exe 1116 epuiq.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
444444.exeepuiq.exe444444.exeepuiq.exedescription pid process target process PID 4940 wrote to memory of 5084 4940 444444.exe 444444.exe PID 4940 wrote to memory of 1784 4940 444444.exe epuiq.exe PID 4940 wrote to memory of 380 4940 444444.exe schtasks.exe PID 1784 wrote to memory of 68 1784 epuiq.exe epuiq.exe PID 1784 wrote to memory of 4500 1784 epuiq.exe explorer.exe PID 4824 wrote to memory of 4804 4824 444444.exe reg.exe PID 4824 wrote to memory of 4552 4824 444444.exe reg.exe PID 4824 wrote to memory of 4756 4824 444444.exe reg.exe PID 4824 wrote to memory of 4148 4824 444444.exe reg.exe PID 4824 wrote to memory of 4232 4824 444444.exe reg.exe PID 4824 wrote to memory of 3416 4824 444444.exe reg.exe PID 4824 wrote to memory of 4944 4824 444444.exe reg.exe PID 4824 wrote to memory of 2008 4824 444444.exe reg.exe PID 4824 wrote to memory of 4304 4824 444444.exe reg.exe PID 4824 wrote to memory of 2056 4824 444444.exe epuiq.exe PID 4824 wrote to memory of 668 4824 444444.exe cmd.exe PID 4824 wrote to memory of 1992 4824 444444.exe schtasks.exe PID 2056 wrote to memory of 1116 2056 epuiq.exe epuiq.exe -
Executes dropped EXE 4 IoCs
Processes:
epuiq.exeepuiq.exeepuiq.exeepuiq.exepid process 1784 epuiq.exe 68 epuiq.exe 2056 epuiq.exe 1116 epuiq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.exe"C:\Users\Admin\AppData\Local\Temp\444444.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exeC:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exeC:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe /C3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mzihupt /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I mzihupt" /SC ONCE /Z /ST 18:37 /ET 18:492⤵
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /I mzihupt1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exeC:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exeC:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe /C3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN mzihupt2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Gculfigzxcfe\epuiq.exe
-
memory/68-4-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/1116-9-0x0000000002930000-0x0000000002931000-memory.dmpFilesize
4KB
-
memory/1784-5-0x0000000000930000-0x000000000096B000-memory.dmpFilesize
236KB
-
memory/5084-0-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB