b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67

Reason

Machine shutdown

General

Target

action_2.0.8.9.vir.exe
Size

380KB
MD5

11b3ae60c845189bbec476f762476e69
SHA1

28461e56f09813363ccc1fa686e48938afde7ec4
SHA256

b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67
SHA512

4b235b560f0cd9d011017aec3ccbe5636a3c78905ecc401403ec2e01db809bfa3c4ecf973615ded1b54041c7e0a572ac9e6031fd56615a3621d4a9351c40c88e

Score

10^/10

persistence evasion trojan spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

action_2.0.8.9.vir.exeteroq.exe

description pid process

Token: SeSecurityPrivilege 1156 action_2.0.8.9.vir.exe
Token: SeShutdownPrivilege 1240 teroq.exe
Loads dropped DLL 2 IoCs

Processes:

action_2.0.8.9.vir.exe

pid process

1156 action_2.0.8.9.vir.exe
1156 action_2.0.8.9.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1156	action_2.0.8.9.vir.exe
Token: SeShutdownPrivilege	1240	teroq.exe

pid	process
1156	action_2.0.8.9.vir.exe
1156	action_2.0.8.9.vir.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

action_2.0.8.9.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	action_2.0.8.9.vir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{48CDB708-3EC4-A593-221B-638300B5B725} = "C:\\Users\\Admin\\AppData\\Roaming\\Avbuug\\teroq.exe"	action_2.0.8.9.vir.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	mstsc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	mstsc.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mstsc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "1"	mstsc.exe

Suspicious use of WriteProcessMemory 125 IoCs

Processes:

action_2.0.8.9.vir.exeteroq.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 1240	1156	action_2.0.8.9.vir.exe	teroq.exe
PID 1156 wrote to memory of 1240	1156	action_2.0.8.9.vir.exe	teroq.exe
PID 1156 wrote to memory of 1240	1156	action_2.0.8.9.vir.exe	teroq.exe
PID 1156 wrote to memory of 1240	1156	action_2.0.8.9.vir.exe	teroq.exe
PID 1240 wrote to memory of 1244	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1244	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1244	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1244	1240	teroq.exe	cmd.exe
PID 1156 wrote to memory of 1444	1156	action_2.0.8.9.vir.exe	cmd.exe
PID 1156 wrote to memory of 1444	1156	action_2.0.8.9.vir.exe	cmd.exe
PID 1156 wrote to memory of 1444	1156	action_2.0.8.9.vir.exe	cmd.exe
PID 1156 wrote to memory of 1444	1156	action_2.0.8.9.vir.exe	cmd.exe
PID 1244 wrote to memory of 932	1244	cmd.exe	sc.exe
PID 1244 wrote to memory of 932	1244	cmd.exe	sc.exe
PID 1244 wrote to memory of 932	1244	cmd.exe	sc.exe
PID 1244 wrote to memory of 932	1244	cmd.exe	sc.exe
PID 1240 wrote to memory of 836	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 836	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 836	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 836	1240	teroq.exe	cmd.exe
PID 836 wrote to memory of 456	836	cmd.exe	sc.exe
PID 836 wrote to memory of 456	836	cmd.exe	sc.exe
PID 836 wrote to memory of 456	836	cmd.exe	sc.exe
PID 836 wrote to memory of 456	836	cmd.exe	sc.exe
PID 1240 wrote to memory of 1068	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1068	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1068	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1068	1240	teroq.exe	cmd.exe
PID 1068 wrote to memory of 1552	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 1552	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 1552	1068	cmd.exe	sc.exe
PID 1068 wrote to memory of 1552	1068	cmd.exe	sc.exe
PID 1240 wrote to memory of 1520	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1520	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1520	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1520	1240	teroq.exe	cmd.exe
PID 1520 wrote to memory of 1328	1520	cmd.exe	sc.exe
PID 1520 wrote to memory of 1328	1520	cmd.exe	sc.exe
PID 1520 wrote to memory of 1328	1520	cmd.exe	sc.exe
PID 1520 wrote to memory of 1328	1520	cmd.exe	sc.exe
PID 1240 wrote to memory of 1832	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1832	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1832	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1832	1240	teroq.exe	cmd.exe
PID 1832 wrote to memory of 1796	1832	cmd.exe	sc.exe
PID 1832 wrote to memory of 1796	1832	cmd.exe	sc.exe
PID 1832 wrote to memory of 1796	1832	cmd.exe	sc.exe
PID 1832 wrote to memory of 1796	1832	cmd.exe	sc.exe
PID 1240 wrote to memory of 1692	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1692	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1692	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1692	1240	teroq.exe	cmd.exe
PID 1692 wrote to memory of 1612	1692	cmd.exe	sc.exe
PID 1692 wrote to memory of 1612	1692	cmd.exe	sc.exe
PID 1692 wrote to memory of 1612	1692	cmd.exe	sc.exe
PID 1692 wrote to memory of 1612	1692	cmd.exe	sc.exe
PID 1240 wrote to memory of 1660	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1660	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1660	1240	teroq.exe	cmd.exe
PID 1240 wrote to memory of 1660	1240	teroq.exe	cmd.exe
PID 1660 wrote to memory of 1576	1660	cmd.exe	sc.exe
PID 1660 wrote to memory of 1576	1660	cmd.exe	sc.exe
PID 1660 wrote to memory of 1576	1660	cmd.exe	sc.exe
PID 1660 wrote to memory of 1576	1660	cmd.exe	sc.exe

Executes dropped EXE 1 IoCs

Processes:

teroq.exe

pid process

1240 teroq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1444 cmd.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1240	teroq.exe

pid	process
1444	cmd.exe

C:\Users\Admin\AppData\Local\Temp\action_2.0.8.9.vir.exe
"C:\Users\Admin\AppData\Local\Temp\action_2.0.8.9.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\Avbuug\teroq.exe
"C:\Users\Admin\AppData\Roaming\Avbuug\teroq.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop wuauserv
3⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
4⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config wuauserv start= disabled
3⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\sc.exe
sc config wuauserv start= disabled
4⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop wscsvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\sc.exe
sc stop wscsvc
4⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config wscsvc start= disabled
3⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= disabled
4⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop WinDefend
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config WinDefend start= disabled
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
4⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop WdNisSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\sc.exe
sc stop WdNisSvc
4⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config WdNisSvc start= disabled
3⤵
PID:1904

C:\Windows\SysWOW64\sc.exe
sc config WdNisSvc start= disabled
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
3⤵
PID:1900

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
3⤵
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
3⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
3⤵
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop MpsSvc
3⤵
PID:1092

C:\Windows\SysWOW64\sc.exe
sc stop MpsSvc
4⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config MpsSvc start= disabled
3⤵
PID:1184

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
4⤵
PID:1584

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
- Modifies Internet Explorer settings
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9f3bf52b.bat" C:\Users\Admin\AppData\Local\Temp\action_2.0.8.9.vir.exe"
2⤵
- Deletes itself
PID:1444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:624

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9f3bf52b.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Avbuug\teroq.exe

Download Submit
\Users\Admin\AppData\Roaming\Avbuug\teroq.exe

Download Submit
\Users\Admin\AppData\Roaming\Avbuug\teroq.exe

Download Submit
memory/368-29-0x0000000000000000-mapping.dmp

Download
memory/456-11-0x0000000000000000-mapping.dmp

Download
memory/564-31-0x0000000000000000-mapping.dmp

Download
memory/808-30-0x0000000000000000-mapping.dmp

Download
memory/836-10-0x0000000000000000-mapping.dmp

Download
memory/932-9-0x0000000000000000-mapping.dmp

Download
memory/1068-12-0x0000000000000000-mapping.dmp

Download
memory/1092-32-0x0000000000000000-mapping.dmp

Download
memory/1156-0-0x00000000005DF000-0x00000000005E0000-memory.dmp

Filesize
4KB

Download
memory/1184-34-0x0000000000000000-mapping.dmp

Download
memory/1192-36-0x0000000000080000-0x00000000000CD000-memory.dmp

Filesize
308KB

Download
memory/1192-37-0x0000000000080000-0x00000000000CD000-memory.dmp

Filesize
308KB

Download
memory/1192-38-0x0000000000000000-mapping.dmp

Download
memory/1240-5-0x00000000002EE000-0x00000000002EF000-memory.dmp

Filesize
4KB

Download
memory/1240-3-0x0000000000000000-mapping.dmp

Download
memory/1244-6-0x0000000000000000-mapping.dmp

Download
memory/1328-15-0x0000000000000000-mapping.dmp

Download
memory/1444-7-0x0000000000000000-mapping.dmp

Download
memory/1520-14-0x0000000000000000-mapping.dmp

Download
memory/1552-13-0x0000000000000000-mapping.dmp

Download
memory/1576-21-0x0000000000000000-mapping.dmp

Download
memory/1584-35-0x0000000000000000-mapping.dmp

Download
memory/1612-19-0x0000000000000000-mapping.dmp

Download
memory/1660-20-0x0000000000000000-mapping.dmp

Download
memory/1692-18-0x0000000000000000-mapping.dmp

Download
memory/1796-17-0x0000000000000000-mapping.dmp

Download
memory/1832-16-0x0000000000000000-mapping.dmp

Download
memory/1844-23-0x0000000000000000-mapping.dmp

Download
memory/1900-24-0x0000000000000000-mapping.dmp

Download
memory/1904-22-0x0000000000000000-mapping.dmp

Download
memory/1908-26-0x0000000000000000-mapping.dmp

Download
memory/1932-25-0x0000000000000000-mapping.dmp

Download
memory/1976-28-0x0000000000000000-mapping.dmp

Download
memory/2016-33-0x0000000000000000-mapping.dmp

Download
memory/2040-27-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads