Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-12-2021 12:52
Static task
static1
General
-
Target
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe
-
Size
11.7MB
-
MD5
4dadc2245fc209e51d9c22753f5a8eec
-
SHA1
2e32247294f43fac2edcdd1d044c70b398e03905
-
SHA256
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
-
SHA512
4d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File created C:\Windows\System32\drivers\etc\hosts 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Executes dropped EXE 6 IoCs
Processes:
gnaikub.exesefuddx.exe~xeaoxaa.exe~xeaoxaa.exepymngci.exe~xeaoxaa.exepid process 3444 gnaikub.exe 3948 sefuddx.exe 360 ~xeaoxaa.exe 772 ~xeaoxaa.exe 920 pymngci.exe 1816 ~xeaoxaa.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\lezjchs\gnaikub.exe upx C:\Users\Admin\AppData\Local\Temp\lezjchs\gnaikub.exe upx C:\Users\Admin\AppData\Local\Temp\sefuddx.exe upx C:\Users\Admin\AppData\Local\Temp\sefuddx.exe upx C:\Users\Admin\AppData\Local\Temp\pymngci.exe upx C:\Users\Admin\AppData\Local\Temp\pymngci.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Drops startup file 1 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 28 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exeRundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process File opened (read-only) \??\z: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\k: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\l: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\m: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\q: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\n: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\r: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\j: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\o: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\p: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\s: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\a: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\b: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\f: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\h: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\u: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\v: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\w: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\x: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\e: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\g: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\i: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\t: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File opened (read-only) \??\y: 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 2 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process File opened for modification C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe File created C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe~xeaoxaa.exe~xeaoxaa.exe~xeaoxaa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~xeaoxaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~xeaoxaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~xeaoxaa.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?31209" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Modifies registry class 25 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\ = "Internet Explorer" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command\ = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,Control_RunDLL C:\\Windows\\SysWOW64\\inetcpl.cpl" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\ = "打开主页(&H)" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82} 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\ = "属性(&R)" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\ieframe.dll,-190" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\ = "在没有加载项的情况下启动" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2196 PING.EXE 2076 PING.EXE 3860 PING.EXE 1080 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exepid process 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exepid process 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe~xeaoxaa.exe488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe~xeaoxaa.exegnaikub.exesefuddx.exe~xeaoxaa.exepymngci.exedescription pid process Token: SeDebugPrivilege 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Token: SeBackupPrivilege 360 ~xeaoxaa.exe Token: SeRestorePrivilege 360 ~xeaoxaa.exe Token: SeTakeOwnershipPrivilege 360 ~xeaoxaa.exe Token: SeDebugPrivilege 3524 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Token: SeBackupPrivilege 772 ~xeaoxaa.exe Token: SeRestorePrivilege 772 ~xeaoxaa.exe Token: SeTakeOwnershipPrivilege 772 ~xeaoxaa.exe Token: SeDebugPrivilege 3444 gnaikub.exe Token: SeDebugPrivilege 3948 sefuddx.exe Token: SeRestorePrivilege 3948 sefuddx.exe Token: SeTakeOwnershipPrivilege 3948 sefuddx.exe Token: SeDebugPrivilege 3948 sefuddx.exe Token: SeSecurityPrivilege 3948 sefuddx.exe Token: SeBackupPrivilege 1816 ~xeaoxaa.exe Token: SeRestorePrivilege 1816 ~xeaoxaa.exe Token: SeTakeOwnershipPrivilege 1816 ~xeaoxaa.exe Token: SeDebugPrivilege 920 pymngci.exe Token: SeRestorePrivilege 920 pymngci.exe Token: SeTakeOwnershipPrivilege 920 pymngci.exe Token: SeDebugPrivilege 920 pymngci.exe Token: SeSecurityPrivilege 920 pymngci.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exepid process 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exepid process 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exegnaikub.execmd.exeRundll32.exerunonce.execmd.execmd.exedescription pid process target process PID 2592 wrote to memory of 3524 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe PID 2592 wrote to memory of 3524 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe PID 2592 wrote to memory of 3524 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe PID 2592 wrote to memory of 3444 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe gnaikub.exe PID 2592 wrote to memory of 3444 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe gnaikub.exe PID 2592 wrote to memory of 3444 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe gnaikub.exe PID 2592 wrote to memory of 3948 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe sefuddx.exe PID 2592 wrote to memory of 3948 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe sefuddx.exe PID 2592 wrote to memory of 3948 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe sefuddx.exe PID 2592 wrote to memory of 360 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe ~xeaoxaa.exe PID 2592 wrote to memory of 360 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe ~xeaoxaa.exe PID 2592 wrote to memory of 772 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe ~xeaoxaa.exe PID 2592 wrote to memory of 772 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe ~xeaoxaa.exe PID 3444 wrote to memory of 2696 3444 gnaikub.exe cmd.exe PID 3444 wrote to memory of 2696 3444 gnaikub.exe cmd.exe PID 2696 wrote to memory of 1080 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 1080 2696 cmd.exe PING.EXE PID 2592 wrote to memory of 920 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe pymngci.exe PID 2592 wrote to memory of 920 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe pymngci.exe PID 2592 wrote to memory of 920 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe pymngci.exe PID 2592 wrote to memory of 1816 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe ~xeaoxaa.exe PID 2592 wrote to memory of 1816 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe ~xeaoxaa.exe PID 2592 wrote to memory of 1928 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Rundll32.exe PID 2592 wrote to memory of 1928 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Rundll32.exe PID 1928 wrote to memory of 1440 1928 Rundll32.exe runonce.exe PID 1928 wrote to memory of 1440 1928 Rundll32.exe runonce.exe PID 1440 wrote to memory of 1760 1440 runonce.exe grpconv.exe PID 1440 wrote to memory of 1760 1440 runonce.exe grpconv.exe PID 2592 wrote to memory of 2408 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe cmd.exe PID 2592 wrote to memory of 2408 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe cmd.exe PID 2592 wrote to memory of 1392 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe cmd.exe PID 2592 wrote to memory of 1392 2592 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe cmd.exe PID 1392 wrote to memory of 2076 1392 cmd.exe PING.EXE PID 1392 wrote to memory of 2076 1392 cmd.exe PING.EXE PID 2408 wrote to memory of 2196 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 2196 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 3860 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 3860 2408 cmd.exe PING.EXE -
System policy modification 1 TTPs 3 IoCs
Processes:
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe"C:\Users\Admin\AppData\Local\Temp\488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exeC:\Users\Admin\AppData\Local\Temp\488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70.exe /nstart2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\lezjchs\gnaikub.exeC:\Users\Admin\AppData\Local\Temp\lezjchs\gnaikub.exe /nys2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TMK9hnZ.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\sefuddx.exeC:\Users\Admin\AppData\Local\Temp\sefuddx.exe /HomeRegAccess102⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeC:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeC:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pymngci.exeC:\Users\Admin\AppData\Local\Temp\pymngci.exe /HomeRegAccess102⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeC:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~ljgffkl.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kAoXldl.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xh8zApH.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TMK9hnZ.batMD5
4e661a81dc4d02ee3cb938fd2bd68522
SHA1cf25a3a31af83e9fc8a1a584ef58a86f6c93b763
SHA2565f3806784a353464b80bf4d7b5f1231f4e1af5d3eaed159948bda7d35ce1b53a
SHA512588e8b845d3c9722c98e7236fdd8226a575a7144bb92184492728ce65e06d5ae8186f57882b64c5f3c35e00f8a23c84e2b3fb8cfb42dffc3aff4865b3495f880
-
C:\Users\Admin\AppData\Local\Temp\kAoXldl.batMD5
f7c4d709207ea6594708913a6883be4d
SHA1467e5b4a9160366e63230e856a2076e15788129c
SHA256f75e7f08372bef17337ac69213852388f2586bb28738949ca58856e624ec841a
SHA51247d81768c121a21233968c9bf8ae182e4f74be70ea5047e0753120a85bde03ac54ab83c034fec9a1fb7f0af9a8f325ee87bd48bf8729fe141a9b77c73a689fac
-
C:\Users\Admin\AppData\Local\Temp\lezjchs\gnaikub.exeMD5
4dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\lezjchs\gnaikub.exeMD5
4dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\pymngci.exeMD5
4dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\pymngci.exeMD5
4dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\sefuddx.exeMD5
4dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\sefuddx.exeMD5
4dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\xh8zApH.batMD5
7fda426716f4b50cb59c9a5791ae291f
SHA1dd7fdf9bca72fa9dae1b5e5f52f15d870989c745
SHA256e2eaedba7880f92b2d1ebdf951853a7b1bf82d28493642d957e6dc9c01b076ac
SHA51219dffd19961a4a8d7681c1325a18c54dccb2e1b3a4361100cb9ce6a4f7a71022fc51a1b8ff0fb8f0e46cb368184f275b1083faac8e90b8efd9350429106cc686
-
C:\Users\Admin\AppData\Local\Temp\~ljgffkl.infMD5
8f5f4837dd4a1680d79bbdca9cc1e08f
SHA1688b5d5ef993733b97b303ed4c8409a14b230de5
SHA2562bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2
SHA512bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeMD5
3e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeMD5
3e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeMD5
3e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~xeaoxaa.exeMD5
3e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
memory/360-125-0x0000000000000000-mapping.dmp
-
memory/772-128-0x0000000000000000-mapping.dmp
-
memory/920-134-0x0000000000000000-mapping.dmp
-
memory/1080-133-0x0000000000000000-mapping.dmp
-
memory/1392-144-0x0000000000000000-mapping.dmp
-
memory/1440-141-0x0000000000000000-mapping.dmp
-
memory/1760-142-0x0000000000000000-mapping.dmp
-
memory/1816-137-0x0000000000000000-mapping.dmp
-
memory/1928-139-0x0000000000000000-mapping.dmp
-
memory/2076-147-0x0000000000000000-mapping.dmp
-
memory/2196-148-0x0000000000000000-mapping.dmp
-
memory/2408-143-0x0000000000000000-mapping.dmp
-
memory/2696-130-0x0000000000000000-mapping.dmp
-
memory/3444-131-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/3444-119-0x0000000000000000-mapping.dmp
-
memory/3524-118-0x0000000000000000-mapping.dmp
-
memory/3860-149-0x0000000000000000-mapping.dmp
-
memory/3948-122-0x0000000000000000-mapping.dmp