Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
18-02-2020 20:06
Static task
static1
Behavioral task
behavioral1
Sample
444444.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
General
-
Target
444444.exe
-
Size
340KB
-
MD5
36af3d937d99c46cd829957af7f37886
-
SHA1
6901f63c7339374c0c1b499f593b0a7520c2e266
-
SHA256
871371ff7eb668d8281e8a01af78e4f037f5204311e996b7a133e0d5c51a612e
-
SHA512
2cf1464e7fe0645dbc2b9b6e0b158c512ffc8fa9d3b1ba5f10fdefdd3674d69a5a36c7be74b9468d6af9a62972728b13f62e43c3ccb7386e5c415d5d05608e5d
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ujuwuua.exe444444.exeujuwuua.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 ujuwuua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 444444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 444444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc ujuwuua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 444444.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service ujuwuua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 ujuwuua.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc ujuwuua.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet reg.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
444444.exeujuwuua.exe444444.exeujuwuua.exedescription pid process target process PID 4020 wrote to memory of 3988 4020 444444.exe 444444.exe PID 4020 wrote to memory of 3988 4020 444444.exe 444444.exe PID 4020 wrote to memory of 3988 4020 444444.exe 444444.exe PID 4020 wrote to memory of 2588 4020 444444.exe ujuwuua.exe PID 4020 wrote to memory of 2588 4020 444444.exe ujuwuua.exe PID 4020 wrote to memory of 2588 4020 444444.exe ujuwuua.exe PID 4020 wrote to memory of 3544 4020 444444.exe schtasks.exe PID 4020 wrote to memory of 3544 4020 444444.exe schtasks.exe PID 4020 wrote to memory of 3544 4020 444444.exe schtasks.exe PID 2588 wrote to memory of 3500 2588 ujuwuua.exe ujuwuua.exe PID 2588 wrote to memory of 3500 2588 ujuwuua.exe ujuwuua.exe PID 2588 wrote to memory of 3500 2588 ujuwuua.exe ujuwuua.exe PID 2588 wrote to memory of 3080 2588 ujuwuua.exe explorer.exe PID 2588 wrote to memory of 3080 2588 ujuwuua.exe explorer.exe PID 2588 wrote to memory of 3080 2588 ujuwuua.exe explorer.exe PID 2588 wrote to memory of 3080 2588 ujuwuua.exe explorer.exe PID 2932 wrote to memory of 3256 2932 444444.exe reg.exe PID 2932 wrote to memory of 3256 2932 444444.exe reg.exe PID 2932 wrote to memory of 1016 2932 444444.exe reg.exe PID 2932 wrote to memory of 1016 2932 444444.exe reg.exe PID 2932 wrote to memory of 3836 2932 444444.exe reg.exe PID 2932 wrote to memory of 3836 2932 444444.exe reg.exe PID 2932 wrote to memory of 544 2932 444444.exe reg.exe PID 2932 wrote to memory of 544 2932 444444.exe reg.exe PID 2932 wrote to memory of 908 2932 444444.exe reg.exe PID 2932 wrote to memory of 908 2932 444444.exe reg.exe PID 2932 wrote to memory of 496 2932 444444.exe reg.exe PID 2932 wrote to memory of 496 2932 444444.exe reg.exe PID 2932 wrote to memory of 1156 2932 444444.exe reg.exe PID 2932 wrote to memory of 1156 2932 444444.exe reg.exe PID 2932 wrote to memory of 1292 2932 444444.exe reg.exe PID 2932 wrote to memory of 1292 2932 444444.exe reg.exe PID 2932 wrote to memory of 1516 2932 444444.exe reg.exe PID 2932 wrote to memory of 1516 2932 444444.exe reg.exe PID 2932 wrote to memory of 1728 2932 444444.exe ujuwuua.exe PID 2932 wrote to memory of 1728 2932 444444.exe ujuwuua.exe PID 2932 wrote to memory of 1728 2932 444444.exe ujuwuua.exe PID 2932 wrote to memory of 64 2932 444444.exe cmd.exe PID 2932 wrote to memory of 64 2932 444444.exe cmd.exe PID 2932 wrote to memory of 2064 2932 444444.exe schtasks.exe PID 2932 wrote to memory of 2064 2932 444444.exe schtasks.exe PID 1728 wrote to memory of 2708 1728 ujuwuua.exe ujuwuua.exe PID 1728 wrote to memory of 2708 1728 ujuwuua.exe ujuwuua.exe PID 1728 wrote to memory of 2708 1728 ujuwuua.exe ujuwuua.exe -
Executes dropped EXE 4 IoCs
Processes:
ujuwuua.exeujuwuua.exeujuwuua.exeujuwuua.exepid process 2588 ujuwuua.exe 3500 ujuwuua.exe 1728 ujuwuua.exe 2708 ujuwuua.exe -
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypppot = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Aehqityril\\ujuwuua.exe\"" explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
444444.exe444444.exeujuwuua.exeujuwuua.exeexplorer.exe444444.exeujuwuua.exeujuwuua.exepid process 4020 444444.exe 4020 444444.exe 3988 444444.exe 3988 444444.exe 3988 444444.exe 3988 444444.exe 2588 ujuwuua.exe 2588 ujuwuua.exe 3500 ujuwuua.exe 3500 ujuwuua.exe 3500 ujuwuua.exe 3500 ujuwuua.exe 3080 explorer.exe 3080 explorer.exe 3080 explorer.exe 3080 explorer.exe 2932 444444.exe 2932 444444.exe 1728 ujuwuua.exe 1728 ujuwuua.exe 2708 ujuwuua.exe 2708 ujuwuua.exe 2708 ujuwuua.exe 2708 ujuwuua.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ujuwuua.exepid process 2588 ujuwuua.exe -
Runs ping.exe 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.exe"C:\Users\Admin\AppData\Local\Temp\444444.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe /C3⤵
- Checks SCSI registry key(s)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iwzaihlrp /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I iwzaihlrp" /SC ONCE /Z /ST 21:09 /ET 21:212⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /I iwzaihlrp1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe /C3⤵
- Checks SCSI registry key(s)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN iwzaihlrp2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehqityril\ujuwuua.exe
-
memory/2588-5-0x0000000000870000-0x00000000008AB000-memory.dmpFilesize
236KB
-
memory/2708-9-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/3500-4-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/3988-0-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB