4b27e32e9057afc255a41f8277eae7d4eef6715033e917e96ce436fcb42335aa

General

Target

126.exe
Size

2.0MB
MD5

b919752b83989b556d95d96907cc92c8
SHA1

454921a53827410334a19f536140f0dd9ae140a3
SHA256

4b27e32e9057afc255a41f8277eae7d4eef6715033e917e96ce436fcb42335aa
SHA512

b574eea1e05435667c6c52997502a73064e24da10c47c67ea1d20f5392377bb41c7cf52c7bc7fac5a37a3c5760f1fec258e97397642b1975b840e9945069c497

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

126.exeWScript.execmd.exenlHa4dneFyvW7t91tTqX.exeWScript.execmd.exeStarter.exeAdobe QuikInstall.execmd.execmd.exe

description	pid	process	target process
PID 2112 wrote to memory of 3928	2112	126.exe	WScript.exe
PID 2112 wrote to memory of 3928	2112	126.exe	WScript.exe
PID 2112 wrote to memory of 3928	2112	126.exe	WScript.exe
PID 3928 wrote to memory of 1492	3928	WScript.exe	cmd.exe
PID 3928 wrote to memory of 1492	3928	WScript.exe	cmd.exe
PID 3928 wrote to memory of 1492	3928	WScript.exe	cmd.exe
PID 1492 wrote to memory of 3152	1492	cmd.exe	nlHa4dneFyvW7t91tTqX.exe
PID 1492 wrote to memory of 3152	1492	cmd.exe	nlHa4dneFyvW7t91tTqX.exe
PID 1492 wrote to memory of 3152	1492	cmd.exe	nlHa4dneFyvW7t91tTqX.exe
PID 3152 wrote to memory of 1000	3152	nlHa4dneFyvW7t91tTqX.exe	WScript.exe
PID 3152 wrote to memory of 1000	3152	nlHa4dneFyvW7t91tTqX.exe	WScript.exe
PID 3152 wrote to memory of 1000	3152	nlHa4dneFyvW7t91tTqX.exe	WScript.exe
PID 3152 wrote to memory of 1084	3152	nlHa4dneFyvW7t91tTqX.exe	Starter.exe
PID 3152 wrote to memory of 1084	3152	nlHa4dneFyvW7t91tTqX.exe	Starter.exe
PID 3152 wrote to memory of 1084	3152	nlHa4dneFyvW7t91tTqX.exe	Starter.exe
PID 1000 wrote to memory of 1696	1000	WScript.exe	cmd.exe
PID 1000 wrote to memory of 1696	1000	WScript.exe	cmd.exe
PID 1000 wrote to memory of 1696	1000	WScript.exe	cmd.exe
PID 1696 wrote to memory of 1792	1696	cmd.exe	savesref.exe
PID 1696 wrote to memory of 1792	1696	cmd.exe	savesref.exe
PID 1084 wrote to memory of 632	1084	Starter.exe	Adobe QuikInstall.exe
PID 1084 wrote to memory of 632	1084	Starter.exe	Adobe QuikInstall.exe
PID 1084 wrote to memory of 632	1084	Starter.exe	Adobe QuikInstall.exe
PID 632 wrote to memory of 1616	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1616	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1616	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1640	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1640	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1640	632	Adobe QuikInstall.exe	cmd.exe
PID 1640 wrote to memory of 2288	1640	cmd.exe	SecurityHealthService.exe
PID 1640 wrote to memory of 2288	1640	cmd.exe	SecurityHealthService.exe
PID 1640 wrote to memory of 2288	1640	cmd.exe	SecurityHealthService.exe
PID 632 wrote to memory of 1548	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1548	632	Adobe QuikInstall.exe	cmd.exe
PID 632 wrote to memory of 1548	632	Adobe QuikInstall.exe	cmd.exe
PID 1548 wrote to memory of 3644	1548	cmd.exe	YourPhone.exe
PID 1548 wrote to memory of 3644	1548	cmd.exe	YourPhone.exe
PID 1548 wrote to memory of 3644	1548	cmd.exe	YourPhone.exe

Executes dropped EXE 6 IoCs

Processes:

nlHa4dneFyvW7t91tTqX.exeStarter.exesavesref.exeAdobe QuikInstall.exeSecurityHealthService.exeYourPhone.exe

pid process

3152 nlHa4dneFyvW7t91tTqX.exe
1084 Starter.exe
1792 savesref.exe
632 Adobe QuikInstall.exe
2288 SecurityHealthService.exe
3644 YourPhone.exe

pid	process
3152	nlHa4dneFyvW7t91tTqX.exe
1084	Starter.exe
1792	savesref.exe
632	Adobe QuikInstall.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

savesref.exeWerFault.exeSecurityHealthService.exeYourPhone.exe

description	pid	process
Token: SeDebugPrivilege	1792	savesref.exe
Token: SeDebugPrivilege	1304	WerFault.exe
Token: SeDebugPrivilege	2288	SecurityHealthService.exe
Token: SeDebugPrivilege	3644	YourPhone.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1304 1792 WerFault.exe savesref.exe

pid	pid_target	process	target process
1304	1792	WerFault.exe	savesref.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

WerFault.exeSecurityHealthService.exeYourPhone.exe

pid	process
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe
2288	SecurityHealthService.exe
3644	YourPhone.exe

Drops startup file 4 IoCs

Processes:

cmd.exesavesref.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb745ad144d57f1096e3b784bd42f4f785a4de64.lnk	savesref.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb745ad144d57f1096e3b784bd42f4f785a4de64.lnk	savesref.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Starter.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe QuikInstall = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe QuikInstall.exe"	Starter.exe

Modifies registry class 2 IoCs

Processes:

nlHa4dneFyvW7t91tTqX.exe126.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	nlHa4dneFyvW7t91tTqX.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	126.exe

C:\Users\Admin\AppData\Local\Temp\126.exe
"C:\Users\Admin\AppData\Local\Temp\126.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:2112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fontcrt\MwNjvr88NQJRSWi19KqHvdvHPGxkRc.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\fontcrt\f8IOiW4b1oJg0IdnBPNY1lP2Kk6HqE.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\fontcrt\nlHa4dneFyvW7t91tTqX.exe
nlHa4dneFyvW7t91tTqX.exe -pfc114bf1799a11cca515d4e7135dd097ec29a963
4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Modifies registry class
PID:3152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fontcrt\System.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\fontcrt\7WCrkRKj3I45kvv0JqhYh5UzVIEFG5.bat" "
6⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
PID:1696

C:\fontcrt\savesref.exe
"C:\fontcrt\savesref.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
PID:1792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1792 -s 1692
8⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\fontcrt\Starter.exe
"C:\fontcrt\Starter.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run entry to start application
PID:1084

C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe"
6⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\Obsidium\Runtime Broker.exe
7⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe
C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe
C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\WatchDog.data

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Vortex\WatchDog.data

Download Submit
C:\fontcrt\7WCrkRKj3I45kvv0JqhYh5UzVIEFG5.bat

Download Submit
C:\fontcrt\MwNjvr88NQJRSWi19KqHvdvHPGxkRc.vbs

Download Submit
C:\fontcrt\Starter.exe

Download Submit
C:\fontcrt\Starter.exe

Download Submit
C:\fontcrt\System.lnk

Download Submit
C:\fontcrt\System.vbe

Download Submit
C:\fontcrt\WatchDog.data

Download Submit
C:\fontcrt\autopass.dll

Download Submit
C:\fontcrt\dclib\AK_33db8088017dd3ba0d1f7d0d6d211cb82b9f06dd.dclib

Download Submit
C:\fontcrt\dclib\AS_c07f7472ed0469e66b90bea3f8afee0ab215080e.dclib

Download Submit
C:\fontcrt\dclib\AntiVM.dclib

Download Submit
C:\fontcrt\dogs\Adobe QuikInstall.exe

Download Submit
C:\fontcrt\dogs\Runtime Broker.exe

Download Submit
C:\fontcrt\dogs\SecurityHealthService.exe

Download Submit
C:\fontcrt\dogs\YourPhone.exe

Download Submit
C:\fontcrt\eb745ad144d57f1096e3b784bd42f4f785a4de64.lnk

Download Submit
C:\fontcrt\f8IOiW4b1oJg0IdnBPNY1lP2Kk6HqE.bat

Download Submit
C:\fontcrt\nlHa4dneFyvW7t91tTqX.exe

Download Submit
C:\fontcrt\nlHa4dneFyvW7t91tTqX.exe

Download Submit
C:\fontcrt\savesref.exe

Download Submit
C:\fontcrt\savesref.exe

Download Submit
C:\fontcrt\vmcheck32.dll

Download Submit
memory/1304-28-0x0000028E88610000-0x0000028E88611000-memory.dmp

Filesize
4KB

Download
memory/1304-32-0x0000028E89480000-0x0000028E89481000-memory.dmp

Filesize
4KB

Download
memory/1304-31-0x0000028E89480000-0x0000028E89481000-memory.dmp

Filesize
4KB

Download
memory/1304-29-0x0000028E88610000-0x0000028E88611000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads