zloader | c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d

Target

ycof.exe.dll
Size

1.1MB
MD5

54a3bcca6b1eb92adb299a46df941826
SHA1

6988e010056d88985b8e8f8de06706327779d3ca
SHA256

c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d
SHA512

4e4f10abf8a97f649060cb3eaa125a487141a42b87d2dc1449d87531d927031279bd7b48a3859ffa8f5d4400deea77022ecb00c61de8511756dc9c0d27e3f150

Score

10^/10

zloader 123 123 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

123

Campaign

123

http://gipc.in/post.php

http://fbhindia.com/post.php

http://ecolenefiber.com/post.php

http://design.ecolenefiber.com/post.php

http://beta.marlics.ir/post.php

http://hari.pk/post.php

http://iaiskjmalang.ac.id/post.php

http://314xd.com/post.php

http://ejournal.iaiskjmalang.ac.id/post.php

http://duanvn.com/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3796 created 3008 3796 WerFault.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 3796 created 3008	3796	WerFault.exe	Explorer.EXE

Blocklisted process makes network request 26 IoCs

Processes:

msiexec.exe

flow	pid	process
8	1576	msiexec.exe
10	1576	msiexec.exe
11	1576	msiexec.exe
12	1576	msiexec.exe
13	1576	msiexec.exe
14	1576	msiexec.exe
15	1576	msiexec.exe
17	1576	msiexec.exe
19	1576	msiexec.exe
21	1576	msiexec.exe
23	1576	msiexec.exe
25	1576	msiexec.exe
27	1576	msiexec.exe
28	1576	msiexec.exe
30	1576	msiexec.exe
31	1576	msiexec.exe
33	1576	msiexec.exe
35	1576	msiexec.exe
37	1576	msiexec.exe
39	1576	msiexec.exe
40	1576	msiexec.exe
41	1576	msiexec.exe
42	1576	msiexec.exe
43	1576	msiexec.exe
52	1576	msiexec.exe
60	1576	msiexec.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2356 set thread context of 1576 2356 rundll32.exe msiexec.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

description	pid	process	target process
PID 2356 set thread context of 1576	2356	rundll32.exe	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exeSearchUI.exeShellExperienceHost.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3796 3008 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
3796	3008	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1528 net.exe
3404 net.exe

pid	process
1528	net.exe
3404	net.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1160 ipconfig.exe

pid	process
1160	ipconfig.exe

Modifies registry class 29 IoCs

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000003a2465121ebad70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000030dc18121ebad70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeWerFault.exeexplorer.exe

pid	process
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
3780	explorer.exe
3780	explorer.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe
1576	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exeWerFault.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	2356	rundll32.exe
Token: SeCreatePagefilePrivilege	2356	rundll32.exe
Token: SeShutdownPrivilege	2356	rundll32.exe
Token: SeCreatePagefilePrivilege	2356	rundll32.exe
Token: SeShutdownPrivilege	2356	rundll32.exe
Token: SeCreatePagefilePrivilege	2356	rundll32.exe
Token: SeShutdownPrivilege	2356	rundll32.exe
Token: SeCreatePagefilePrivilege	2356	rundll32.exe
Token: SeShutdownPrivilege	2356	rundll32.exe
Token: SeCreatePagefilePrivilege	2356	rundll32.exe
Token: SeShutdownPrivilege	2356	rundll32.exe
Token: SeCreatePagefilePrivilege	2356	rundll32.exe
Token: SeDebugPrivilege	3796	WerFault.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe
Token: SeCreatePagefilePrivilege	3780	explorer.exe
Token: SeShutdownPrivilege	3780	explorer.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchUI.exeShellExperienceHost.exe

pid process

968 SearchUI.exe
4068 ShellExperienceHost.exe
4068 ShellExperienceHost.exe

pid	process
968	SearchUI.exe
4068	ShellExperienceHost.exe
4068	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

rundll32.exerundll32.exemsiexec.exenet.exe

description	pid	process	target process
PID 2160 wrote to memory of 2356	2160	rundll32.exe	rundll32.exe
PID 2160 wrote to memory of 2356	2160	rundll32.exe	rundll32.exe
PID 2160 wrote to memory of 2356	2160	rundll32.exe	rundll32.exe
PID 2356 wrote to memory of 1576	2356	rundll32.exe	msiexec.exe
PID 2356 wrote to memory of 1576	2356	rundll32.exe	msiexec.exe
PID 2356 wrote to memory of 1576	2356	rundll32.exe	msiexec.exe
PID 2356 wrote to memory of 1576	2356	rundll32.exe	msiexec.exe
PID 2356 wrote to memory of 1576	2356	rundll32.exe	msiexec.exe
PID 1576 wrote to memory of 1160	1576	msiexec.exe	ipconfig.exe
PID 1576 wrote to memory of 1160	1576	msiexec.exe	ipconfig.exe
PID 1576 wrote to memory of 1160	1576	msiexec.exe	ipconfig.exe
PID 1576 wrote to memory of 1236	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 1236	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 1236	1576	msiexec.exe	net.exe
PID 1236 wrote to memory of 752	1236	net.exe	net1.exe
PID 1236 wrote to memory of 752	1236	net.exe	net1.exe
PID 1236 wrote to memory of 752	1236	net.exe	net1.exe
PID 1576 wrote to memory of 1528	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 1528	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 1528	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 3404	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 3404	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 3404	1576	msiexec.exe	net.exe
PID 1576 wrote to memory of 3672	1576	msiexec.exe	nltest.exe
PID 1576 wrote to memory of 3672	1576	msiexec.exe	nltest.exe
PID 1576 wrote to memory of 2868	1576	msiexec.exe	nltest.exe
PID 1576 wrote to memory of 2868	1576	msiexec.exe	nltest.exe
PID 1576 wrote to memory of 3008	1576	msiexec.exe	Explorer.EXE
PID 1576 wrote to memory of 3008	1576	msiexec.exe	Explorer.EXE
PID 1576 wrote to memory of 3008	1576	msiexec.exe	Explorer.EXE
PID 1576 wrote to memory of 3780	1576	msiexec.exe	explorer.exe
PID 1576 wrote to memory of 3780	1576	msiexec.exe	explorer.exe
PID 1576 wrote to memory of 3780	1576	msiexec.exe	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3008

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ycof.exe.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ycof.exe.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1160

C:\Windows\SysWOW64\net.exe
net config workstation
5⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 config workstation
6⤵
PID:752

C:\Windows\SysWOW64\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:1528

C:\Windows\SysWOW64\net.exe
net view /all /domain
5⤵
- Discovers systems in the same network
PID:3404

C:\Windows\SYSTEM32\nltest.exe
nltest /domain_trusts
5⤵
PID:3672

C:\Windows\SYSTEM32\nltest.exe
nltest /domain_trusts /all_trusts
5⤵
PID:2868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3008 -s 2608
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3780

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ghjg\pvsu
MD5
77f747759afbae759f993909720c5b5d

SHA1
99e3e131e551b39f7f7e82bf444bd95ac712978c

SHA256
b210b0e728f9f178028e512f3a2f8c816628e002031bb6a5e47d98b7fd0d810c

SHA512
f1263628e3b545030a6a2e2c433474744065fc0416c2cbd01aa875fdf13e4672a368fb0affbfbc8dacd67933d25567ebbad106ba690ec16fc03c602ddabfc290

Download Submit
memory/752-127-0x0000000000000000-mapping.dmp

Download
memory/1160-124-0x0000000000000000-mapping.dmp

Download
memory/1236-125-0x0000000000000000-mapping.dmp

Download
memory/1528-128-0x0000000000000000-mapping.dmp

Download
memory/1576-119-0x0000000000000000-mapping.dmp

Download
memory/1576-122-0x0000000000660000-0x000000000068A000-memory.dmp

Filesize
168KB

Download
memory/1576-126-0x0000000004F30000-0x0000000004F33000-memory.dmp

Filesize
12KB

Download
memory/1576-123-0x0000000001320000-0x0000000001360000-memory.dmp

Filesize
256KB

Download
memory/2356-115-0x0000000000000000-mapping.dmp

Download
memory/2356-118-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2356-117-0x00000000739E0000-0x0000000074416000-memory.dmp

Filesize
10.2MB

Download
memory/2356-116-0x00000000739E0000-0x0000000073A0A000-memory.dmp

Filesize
168KB

Download
memory/2868-131-0x0000000000000000-mapping.dmp

Download
memory/3008-132-0x00000000010D0000-0x0000000001106000-memory.dmp

Filesize
216KB

Download
memory/3404-129-0x0000000000000000-mapping.dmp

Download
memory/3672-130-0x0000000000000000-mapping.dmp

Download
memory/3780-133-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3780-134-0x0000000004520000-0x0000000004556000-memory.dmp

Filesize
216KB

Download