Analysis
-
max time kernel
138s -
resource
win10v191014 -
submitted
27-01-2020 17:27
Task
task1
Sample
444444.png.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg = "0" reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
444444.png.exe444444.png.exehjgnohza.exehjgnohza.exeexplorer.exe444444.png.exehjgnohza.exehjgnohza.exepid process 4960 444444.png.exe 5016 444444.png.exe 304 hjgnohza.exe 2876 hjgnohza.exe 3976 explorer.exe 3348 444444.png.exe 1996 hjgnohza.exe 876 hjgnohza.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
444444.png.exehjgnohza.exe444444.png.exehjgnohza.exedescription pid process target process PID 4960 wrote to memory of 5016 4960 444444.png.exe 444444.png.exe PID 4960 wrote to memory of 304 4960 444444.png.exe hjgnohza.exe PID 4960 wrote to memory of 1988 4960 444444.png.exe schtasks.exe PID 304 wrote to memory of 2876 304 hjgnohza.exe hjgnohza.exe PID 304 wrote to memory of 3976 304 hjgnohza.exe explorer.exe PID 3348 wrote to memory of 4936 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 772 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 2404 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 3588 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 4976 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 2980 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 4180 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 2856 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 5088 3348 444444.png.exe reg.exe PID 3348 wrote to memory of 1996 3348 444444.png.exe hjgnohza.exe PID 3348 wrote to memory of 4604 3348 444444.png.exe cmd.exe PID 3348 wrote to memory of 4656 3348 444444.png.exe schtasks.exe PID 1996 wrote to memory of 876 1996 hjgnohza.exe hjgnohza.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\oeqplj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Amcesyg\\hjgnohza.exe\"" explorer.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe -
Executes dropped EXE 4 IoCs
Processes:
hjgnohza.exehjgnohza.exehjgnohza.exehjgnohza.exepid process 304 hjgnohza.exe 2876 hjgnohza.exe 1996 hjgnohza.exe 876 hjgnohza.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hjgnohza.exepid process 304 hjgnohza.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
hjgnohza.exehjgnohza.exe444444.png.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 444444.png.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 444444.png.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 hjgnohza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 444444.png.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 444444.png.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service hjgnohza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 444444.png.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 444444.png.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc hjgnohza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc hjgnohza.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service hjgnohza.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exe"C:\Users\Admin\AppData\Local\Temp\444444.png.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exeC:\Users\Admin\AppData\Local\Temp\444444.png.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exeC:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exeC:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bhyxncgjol /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I bhyxncgjol" /SC ONCE /Z /ST 18:30 /ET 18:422⤵
-
C:\Users\Admin\AppData\Local\Temp\444444.png.exeC:\Users\Admin\AppData\Local\Temp\444444.png.exe /I bhyxncgjol1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exeC:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exeC:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN bhyxncgjol2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Amcesyg\hjgnohza.exe
-
memory/304-5-0x0000000002600000-0x000000000263B000-memory.dmpFilesize
236KB
-
memory/876-9-0x0000000002A50000-0x0000000002A51000-memory.dmpFilesize
4KB
-
memory/2876-4-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/5016-0-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB