e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

General

Target

fl.exe
Size

1.3MB
MD5

c607b8bf42f152de754d361bae337bdc
SHA1

642fdb6a3aef4b82056a4fd69af925622188b78a
SHA256

e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a
SHA512

a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1908 created 1132 1908 WerFault.exe RegHost.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid process

1292 RegHost.exe
616 RegHost.exe
2672 RegHost.exe
2152 RegHost.exe
1532 RegHost.exe
1132 RegHost.exe

description	pid	process	target process
PID 1908 created 1132	1908	WerFault.exe	RegHost.exe

pid	process
1292	RegHost.exe
616	RegHost.exe
2672	RegHost.exe
2152	RegHost.exe
1532	RegHost.exe
1132	RegHost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1880-118-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2508-115-0x00007FF6B2990000-0x00007FF6B2DD9000-memory.dmp	themida
behavioral2/memory/2508-116-0x00007FF6B2990000-0x00007FF6B2DD9000-memory.dmp	themida
behavioral2/memory/2508-117-0x00007FF6B2990000-0x00007FF6B2DD9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1292-123-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/1292-124-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/1292-125-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/616-130-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/616-131-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/616-132-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/2672-137-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/2672-138-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/2672-139-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/2152-144-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/2152-145-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/2152-146-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1532-151-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/1532-152-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/1532-153-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1132-158-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/1132-159-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida
behavioral2/memory/1132-160-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp	themida

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	fl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 2508 set thread context of 1880	2508	fl.exe	bfsvc.exe
PID 2508 set thread context of 3624	2508	fl.exe	explorer.exe
PID 1292 set thread context of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 set thread context of 3144	1292	RegHost.exe	explorer.exe
PID 616 set thread context of 3272	616	RegHost.exe	bfsvc.exe
PID 616 set thread context of 2616	616	RegHost.exe	explorer.exe
PID 2672 set thread context of 2364	2672	RegHost.exe	bfsvc.exe
PID 2672 set thread context of 2408	2672	RegHost.exe	explorer.exe
PID 2152 set thread context of 4048	2152	RegHost.exe	bfsvc.exe
PID 2152 set thread context of 3544	2152	RegHost.exe	explorer.exe
PID 1532 set thread context of 3408	1532	RegHost.exe	bfsvc.exe
PID 1532 set thread context of 3636	1532	RegHost.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1908 1132 WerFault.exe RegHost.exe

pid	pid_target	process	target process
1908	1132	WerFault.exe	RegHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1908 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1908	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fl.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 1880	2508	fl.exe	bfsvc.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 2508 wrote to memory of 3624	2508	fl.exe	explorer.exe
PID 3624 wrote to memory of 1292	3624	explorer.exe	RegHost.exe
PID 3624 wrote to memory of 1292	3624	explorer.exe	RegHost.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 1372	1292	RegHost.exe	bfsvc.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 1292 wrote to memory of 3144	1292	RegHost.exe	explorer.exe
PID 3144 wrote to memory of 616	3144	explorer.exe	RegHost.exe
PID 3144 wrote to memory of 616	3144	explorer.exe	RegHost.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe
PID 616 wrote to memory of 3272	616	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
2⤵
PID:1880

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Microsoft%20Basic%20Display%20Adapter" "pidr" "ton"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
4⤵
PID:1372

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Microsoft%20Basic%20Display%20Adapter" "pidr" "ton"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
6⤵
PID:3272

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Microsoft%20Basic%20Display%20Adapter" "pidr" "ton"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2672

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
8⤵
PID:2364

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Microsoft%20Basic%20Display%20Adapter" "pidr" "ton"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2152

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
10⤵
PID:4048

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Microsoft%20Basic%20Display%20Adapter" "pidr" "ton"
10⤵
PID:3544

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1532

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
12⤵
PID:3408

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Microsoft%20Basic%20Display%20Adapter" "pidr" "ton"
12⤵
PID:3636

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
PID:1132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1132 -s 428
14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
memory/616-130-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/616-132-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/616-131-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1132-158-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1132-159-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1132-160-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1292-124-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1292-123-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1292-125-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1532-153-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1532-152-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1532-151-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/1880-118-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/2152-145-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/2152-144-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/2152-146-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/2408-142-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2508-116-0x00007FF6B2990000-0x00007FF6B2DD9000-memory.dmp

Filesize
4.3MB

Download
memory/2508-117-0x00007FF6B2990000-0x00007FF6B2DD9000-memory.dmp

Filesize
4.3MB

Download
memory/2508-115-0x00007FF6B2990000-0x00007FF6B2DD9000-memory.dmp

Filesize
4.3MB

Download
memory/2616-135-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2672-139-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/2672-138-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/2672-137-0x00007FF7A6400000-0x00007FF7A6849000-memory.dmp

Filesize
4.3MB

Download
memory/3144-128-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3544-149-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3624-119-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3624-121-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3636-156-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads