ab4b88ea37d6cfd5f6510acb73a14c27b5ef89f3a0103ac9f36cc465579c16c5

General

Target

tasks_206.vir.exe
Size

329KB
MD5

daaf84966d5d348ba931443dc34e697e
SHA1

c2d2f357706d48017f2f6abef992f9fc38964bc8
SHA256

ab4b88ea37d6cfd5f6510acb73a14c27b5ef89f3a0103ac9f36cc465579c16c5
SHA512

47606574a02e293476f4069e0ca2eba597a832a45668f8bb05de77c88b6f5d5d46895ca64ade3c8f2277aee50f55415138784ad210191d84ee25dd3767d786a9

Score

8^/10

persistence evasion trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

winsec32.exeipleagp.exeipleagp.exe

pid process

1120 winsec32.exe
1464 ipleagp.exe
744 ipleagp.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

784 cmd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ipleagp.exe

pid process

744 ipleagp.exe
744 ipleagp.exe
Drops file in Windows directory 1 IoCs

Processes:

tasks_206.vir.exe

description ioc process

File created C:\Windows\Tasks\Security Center Update - 953684418.job tasks_206.vir.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1120	winsec32.exe
1464	ipleagp.exe
744	ipleagp.exe

pid	process
784	cmd.exe

pid	process
744	ipleagp.exe
744	ipleagp.exe

description	ioc	process
File created	C:\Windows\Tasks\Security Center Update - 953684418.job	tasks_206.vir.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

Drops file in System32 directory 2 IoCs

Processes:

tasks_206.vir.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsec32.exe	tasks_206.vir.exe
File opened for modification	C:\Windows\SysWOW64\winsec32.exe	tasks_206.vir.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

ipleagp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main ipleagp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	ipleagp.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ipleagp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ipleagp.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	ipleagp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	ipleagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ipleagp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ipleagp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ipleagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ipleagp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

tasks_206.vir.exeipleagp.exeipleagp.exe

description	pid	process	target process
PID 1144 wrote to memory of 1464	1144	tasks_206.vir.exe	ipleagp.exe
PID 1144 wrote to memory of 1464	1144	tasks_206.vir.exe	ipleagp.exe
PID 1144 wrote to memory of 1464	1144	tasks_206.vir.exe	ipleagp.exe
PID 1144 wrote to memory of 1464	1144	tasks_206.vir.exe	ipleagp.exe
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 1144 wrote to memory of 784	1144	tasks_206.vir.exe	cmd.exe
PID 1144 wrote to memory of 784	1144	tasks_206.vir.exe	cmd.exe
PID 1144 wrote to memory of 784	1144	tasks_206.vir.exe	cmd.exe
PID 1144 wrote to memory of 784	1144	tasks_206.vir.exe	cmd.exe
PID 1464 wrote to memory of 744	1464	ipleagp.exe	ipleagp.exe
PID 1464 wrote to memory of 744	1464	ipleagp.exe	ipleagp.exe
PID 1464 wrote to memory of 744	1464	ipleagp.exe	ipleagp.exe
PID 1464 wrote to memory of 744	1464	ipleagp.exe	ipleagp.exe
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 1464 wrote to memory of 1276	1464	ipleagp.exe	Explorer.EXE
PID 744 wrote to memory of 1780	744	ipleagp.exe	ctfmon.exe
PID 744 wrote to memory of 1780	744	ipleagp.exe	ctfmon.exe
PID 744 wrote to memory of 1780	744	ipleagp.exe	ctfmon.exe
PID 744 wrote to memory of 1780	744	ipleagp.exe	ctfmon.exe

Suspicious behavior: EnumeratesProcesses 84 IoCs

Processes:

ipleagp.exeipleagp.exe

pid	process
1464	ipleagp.exe
1464	ipleagp.exe
1464	ipleagp.exe
1464	ipleagp.exe
1464	ipleagp.exe
1464	ipleagp.exe
1464	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe
744	ipleagp.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

tasks_206.vir.exe

pid process

1144 tasks_206.vir.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1276 Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1144	tasks_206.vir.exe

description	pid	process
Token: SeShutdownPrivilege	1276	Explorer.EXE

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winsec32.exeExplorer.EXEipleagp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Admel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Laleubx\\ipleagp.exe\""	winsec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Laleubx\\ipleagp.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Laleubx\\ipleagp.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Admel = "C:\\Users\\Admin\\AppData\\Roaming\\Laleubx\\ipleagp.exe"	ipleagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winsec32.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ipleagp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admel = "C:\\Users\\Admin\\AppData\\Roaming\\Laleubx\\ipleagp.exe"	ipleagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ipleagp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
PID:1276

C:\Users\Admin\AppData\Local\Temp\tasks_206.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_206.vir.exe"
2⤵
- Drops file in Windows directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1144

C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe
"C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:1464

C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe
"C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe" -child
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
5⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp11bf617a.bat"
3⤵
- Deletes itself
PID:784

C:\Windows\SysWOW64\winsec32.exe
"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp11bf617a.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LQ57SZ1X.txt

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
\Users\Admin\AppData\Roaming\Laleubx\ipleagp.exe

Download Submit
memory/744-8-0x0000000000000000-mapping.dmp

Download
memory/784-7-0x0000000000000000-mapping.dmp

Download
memory/1276-6-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1464-4-0x0000000000000000-mapping.dmp

Download
memory/1780-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads