Analysis
-
max time kernel
166s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 16:33
Static task
static1
Behavioral task
behavioral1
Sample
a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
Resource
win7-20220414-en
General
-
Target
a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
-
Size
944KB
-
MD5
e4f4b58d13524ae7521d07274eabc0f0
-
SHA1
0cb88305e8e0e8a9dea1db8025caede6f6f256bb
-
SHA256
a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2
-
SHA512
8593105fa62843dd144a900ddb1ae9f4ffda76549f240166418c10b585e5c8df9397a0c3eef7215e1784d103c6a3ab578efd1aaf63b76852d310890d7d262b4d
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4688-133-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat behavioral2/memory/4664-139-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
XMRig Miner Payload 7 IoCs
Processes:
resource yara_rule C:\Windows\IIS\CPUInfo.exe xmrig C:\Windows\IIS\CPUInfo.exe xmrig C:\Users\Admin\AppData\Local\Temp\las.exe xmrig C:\Users\Admin\AppData\Local\Temp\las.exe xmrig C:\Windows\rBcOd\awtqnk.exe xmrig C:\Windows\rBcOd\awtqnk.exe xmrig behavioral2/memory/2012-190-0x0000000000400000-0x0000000002054000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
84.exesysteinfo.exesysteinfo.exesysteinfo.exeCPUInfo.exe84.exelas.exeawtqnk.exe65.exepid process 4688 84.exe 4664 systeinfo.exe 4384 systeinfo.exe 2220 systeinfo.exe 408 CPUInfo.exe 4712 84.exe 2012 las.exe 1300 awtqnk.exe 1612 65.exe -
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/1612-212-0x0000000010000000-0x000000001017D000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CPUInfo.exeawtqnk.exe84.exea4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation CPUInfo.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation awtqnk.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 84.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe -
Drops file in System32 directory 8 IoCs
Processes:
svchost.exesysteinfo.exe84.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{66DF9D4D-5422-49A6-B399-109A13E0DCA6}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3886B73A-4DBF-46B1-8C37-DB5A25F7325F}.catalogItem svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 systeinfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE systeinfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies systeinfo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 systeinfo.exe File created C:\Windows\SysWOW64\systeinfo.exe 84.exe File opened for modification C:\Windows\SysWOW64\systeinfo.exe 84.exe -
Drops file in Program Files directory 2 IoCs
Processes:
65.exedescription ioc process File created C:\Program Files\AppPatch\mysqld.dll 65.exe File opened for modification C:\Program Files\AppPatch\mysqld.dll 65.exe -
Drops file in Windows directory 13 IoCs
Processes:
CPUInfo.exelas.exea4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exeawtqnk.exedescription ioc process File created C:\Windows\IIS\iis.reg CPUInfo.exe File created C:\Windows\IME\tps.exe las.exe File created C:\Windows\boy.exe las.exe File created C:\Windows\SB360.BAT a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe File created C:\Windows\SB3600.BAT a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe File created C:\Windows\end.bat awtqnk.exe File opened for modification C:\Windows\end.bat awtqnk.exe File created C:\Windows\IIS\CPUInfo.exe a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe File created C:\Windows\IIS\srvany.exe CPUInfo.exe File created C:\Windows\IIS\1.BAT CPUInfo.exe File created C:\Windows\rBcOd\tscl.html las.exe File created C:\Windows\rBcOd\awtqnk.exe las.exe File opened for modification C:\Windows\SB360.BAT a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 176 4664 WerFault.exe systeinfo.exe 4216 4664 WerFault.exe systeinfo.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
systeinfo.exesysteinfo.exesysteinfo.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" systeinfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" systeinfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix systeinfo.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" systeinfo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ systeinfo.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" systeinfo.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 4324 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exeCPUInfo.exepid process 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 408 CPUInfo.exe 408 CPUInfo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
84.exedescription pid process Token: SeIncBasePriorityPrivilege 4688 84.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exeCPUInfo.exelas.exeawtqnk.exepid process 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 408 CPUInfo.exe 408 CPUInfo.exe 2012 las.exe 2012 las.exe 1300 awtqnk.exe 1300 awtqnk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exesysteinfo.exe84.exeCPUInfo.execmd.exelas.execmd.execmd.exeawtqnk.execmd.execmd.exedescription pid process target process PID 4468 wrote to memory of 4688 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 84.exe PID 4468 wrote to memory of 4688 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 84.exe PID 4468 wrote to memory of 4688 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 84.exe PID 4664 wrote to memory of 4384 4664 systeinfo.exe systeinfo.exe PID 4664 wrote to memory of 4384 4664 systeinfo.exe systeinfo.exe PID 4664 wrote to memory of 4384 4664 systeinfo.exe systeinfo.exe PID 4664 wrote to memory of 2220 4664 systeinfo.exe systeinfo.exe PID 4664 wrote to memory of 2220 4664 systeinfo.exe systeinfo.exe PID 4664 wrote to memory of 2220 4664 systeinfo.exe systeinfo.exe PID 4688 wrote to memory of 208 4688 84.exe cmd.exe PID 4688 wrote to memory of 208 4688 84.exe cmd.exe PID 4688 wrote to memory of 208 4688 84.exe cmd.exe PID 4664 wrote to memory of 176 4664 systeinfo.exe WerFault.exe PID 4664 wrote to memory of 176 4664 systeinfo.exe WerFault.exe PID 4664 wrote to memory of 176 4664 systeinfo.exe WerFault.exe PID 4468 wrote to memory of 408 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe CPUInfo.exe PID 4468 wrote to memory of 408 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe CPUInfo.exe PID 4468 wrote to memory of 408 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe CPUInfo.exe PID 408 wrote to memory of 2712 408 CPUInfo.exe cmd.exe PID 408 wrote to memory of 2712 408 CPUInfo.exe cmd.exe PID 408 wrote to memory of 2712 408 CPUInfo.exe cmd.exe PID 2712 wrote to memory of 4324 2712 cmd.exe regedit.exe PID 2712 wrote to memory of 4324 2712 cmd.exe regedit.exe PID 2712 wrote to memory of 4324 2712 cmd.exe regedit.exe PID 4468 wrote to memory of 4712 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 84.exe PID 4468 wrote to memory of 4712 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 84.exe PID 4468 wrote to memory of 4712 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 84.exe PID 4468 wrote to memory of 2012 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe las.exe PID 4468 wrote to memory of 2012 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe las.exe PID 4468 wrote to memory of 2012 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe las.exe PID 2012 wrote to memory of 1300 2012 las.exe awtqnk.exe PID 2012 wrote to memory of 1300 2012 las.exe awtqnk.exe PID 2012 wrote to memory of 1300 2012 las.exe awtqnk.exe PID 4468 wrote to memory of 3608 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 3608 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 3608 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 2016 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 2016 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 2016 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 1084 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 1084 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 4468 wrote to memory of 1084 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe PID 3608 wrote to memory of 2312 3608 cmd.exe netsh.exe PID 3608 wrote to memory of 2312 3608 cmd.exe netsh.exe PID 3608 wrote to memory of 2312 3608 cmd.exe netsh.exe PID 2016 wrote to memory of 3316 2016 cmd.exe netsh.exe PID 2016 wrote to memory of 3316 2016 cmd.exe netsh.exe PID 2016 wrote to memory of 3316 2016 cmd.exe netsh.exe PID 2012 wrote to memory of 1568 2012 las.exe cmd.exe PID 2012 wrote to memory of 1568 2012 las.exe cmd.exe PID 2012 wrote to memory of 1568 2012 las.exe cmd.exe PID 1300 wrote to memory of 3188 1300 awtqnk.exe cmd.exe PID 1300 wrote to memory of 3188 1300 awtqnk.exe cmd.exe PID 1300 wrote to memory of 3188 1300 awtqnk.exe cmd.exe PID 1084 wrote to memory of 2996 1084 cmd.exe netsh.exe PID 1084 wrote to memory of 2996 1084 cmd.exe netsh.exe PID 1084 wrote to memory of 2996 1084 cmd.exe netsh.exe PID 3188 wrote to memory of 4972 3188 cmd.exe netsh.exe PID 3188 wrote to memory of 4972 3188 cmd.exe netsh.exe PID 3188 wrote to memory of 4972 3188 cmd.exe netsh.exe PID 4468 wrote to memory of 1612 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 65.exe PID 4468 wrote to memory of 1612 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 65.exe PID 4468 wrote to memory of 1612 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe 65.exe PID 4468 wrote to memory of 1156 4468 a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe"C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\84.exeC:\Users\Admin\AppData\Local\Temp\84.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\84.exe > nul3⤵
-
C:\Windows\IIS\CPUInfo.exe"C:\Windows\IIS\CPUInfo.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\IIS\1.BAT" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s iis.reg4⤵
- Runs .reg file with regedit
-
C:\Users\Admin\AppData\Local\Temp\84.exeC:\Users\Admin\AppData\Local\Temp\84.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\las.exeC:\Users\Admin\AppData\Local\Temp\las.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\rBcOd\awtqnk.exeC:\Windows\rBcOd\awtqnk.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\las.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\SB360.BAT" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=░▓╚½▓▀┬╘201706213⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\SB360.BAT" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=░▓╚½▓▀┬╘201706213⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\SB3600.BAT" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=qianye3⤵
-
C:\Users\Admin\AppData\Local\Temp\65.exeC:\Users\Admin\AppData\Local\Temp\65.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe"2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\systeinfo.exeC:\Windows\SysWOW64\systeinfo.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeinfo.exeC:\Windows\SysWOW64\systeinfo.exe Win72⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\systeinfo.exeC:\Windows\SysWOW64\systeinfo.exe Win72⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4664 -ip 46641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\65.exeFilesize
9KB
MD553259b9b3f5be124adec635b0b39019d
SHA16cf7e65329ac6da629c06810b7d1151aab3de8c3
SHA2569eab2dabb750bec290bfeb7fc544ec6e00e50a0553402233508e12898b7e3180
SHA5122a8ce2cc3e23da9b97e2f7878ab3307841cbb0229032d9b2212987aa7882fc89cc6b44ed03ac1fb5d2fb3282940de4c7c23ea50bab35eb616488283c5fa8dfbd
-
C:\Users\Admin\AppData\Local\Temp\65.exeFilesize
9KB
MD553259b9b3f5be124adec635b0b39019d
SHA16cf7e65329ac6da629c06810b7d1151aab3de8c3
SHA2569eab2dabb750bec290bfeb7fc544ec6e00e50a0553402233508e12898b7e3180
SHA5122a8ce2cc3e23da9b97e2f7878ab3307841cbb0229032d9b2212987aa7882fc89cc6b44ed03ac1fb5d2fb3282940de4c7c23ea50bab35eb616488283c5fa8dfbd
-
C:\Users\Admin\AppData\Local\Temp\84.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Users\Admin\AppData\Local\Temp\84.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Users\Admin\AppData\Local\Temp\84.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Users\Admin\AppData\Local\Temp\las.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Users\Admin\AppData\Local\Temp\las.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Windows\IIS\1.BATFilesize
32B
MD52450c0476e1be691164e992f796c1c13
SHA13fe9da9ae94dab5fe732023e24c509d7471605cf
SHA256653596cb1f474fc012624a04f6504f2f01fb4aacf1f121e653b20cf262b28164
SHA512f23ac0f0a11b6861f0927d01d5e42261f552a975140c9c061f1da338f013475164089b9777b083d6718f0fab268a63469d5875ed7f7c9c329b22de2ebb268997
-
C:\Windows\IIS\CPUInfo.exeFilesize
13.7MB
MD525db93b9c70a81bd8ab39dada7ea9691
SHA1b3d3eccc28c99631e85db8214f750b853773b8c3
SHA256f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be
SHA5126d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b
-
C:\Windows\IIS\CPUInfo.exeFilesize
13.7MB
MD525db93b9c70a81bd8ab39dada7ea9691
SHA1b3d3eccc28c99631e85db8214f750b853773b8c3
SHA256f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be
SHA5126d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b
-
C:\Windows\IIS\iis.regFilesize
1KB
MD577226e89c32d86ac341cdce4884b03a1
SHA1bc78bef2aaa2a4699a85d78c9a76304a812885ab
SHA2561fee5453d046a348fe795039210519ff94846bab0980e583b32255726d035607
SHA512e9e380b22b3cfff23c778ad106071c8420f8aca6634ce1e5ea9973ec42a66f188bb6dd5b3404d3baccf84a738464bcfe9318441c516dd60453fed02ae398b286
-
C:\Windows\SB360.BATFilesize
1KB
MD5f02639a78f77c2ed3cc63f8fe7c682c6
SHA1d9869ab965a112d5a04a4e4bc388990f7a9ad008
SHA256d75ed958202259cb627ab2b3b31d4e02c7246018eff2df0e6f0d62f397a9224b
SHA5129a7d473f30275745bac6ec60e6780d0b2f9d895f009713613e8d024e25224243f6d244ffbb1c2fa42d2d9b3593e451a45c48e33bfdcff3ca1b33c324a0ec8c58
-
C:\Windows\SB3600.BATFilesize
1KB
MD5c3e7708b9cc0a4477c87056814839075
SHA14f2aefbf6e4336e35bb0ddc26e6c4fe743622fbb
SHA256dd0609f6b28782689eca7df267a5065a2fa1953b4f458dc9f10305bdb339aa81
SHA5127d68f1401eacf83a80443aeeb5fca7c982ee92b6d2165fdc77ebb5cfc6fe506f8458181fb0e48f1294fdcb61b9bd612c184b98fdb3b21e22e78ed28514543742
-
C:\Windows\SysWOW64\systeinfo.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Windows\SysWOW64\systeinfo.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Windows\SysWOW64\systeinfo.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Windows\SysWOW64\systeinfo.exeFilesize
180KB
MD55ee6b001a1cc627f56b239fb33a9bb14
SHA15d960e316da7321802ee43d5138c15bb651eedbf
SHA256d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66
SHA51203a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a
-
C:\Windows\end.batFilesize
1KB
MD5c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batFilesize
1KB
MD5c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\rBcOd\awtqnk.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Windows\rBcOd\awtqnk.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
memory/176-155-0x0000000000000000-mapping.dmp
-
memory/208-156-0x0000000000000000-mapping.dmp
-
memory/220-224-0x0000000000000000-mapping.dmp
-
memory/408-158-0x0000000000000000-mapping.dmp
-
memory/428-210-0x0000000000000000-mapping.dmp
-
memory/728-197-0x0000000000000000-mapping.dmp
-
memory/1044-216-0x0000000000000000-mapping.dmp
-
memory/1084-179-0x0000000000000000-mapping.dmp
-
memory/1156-193-0x0000000000000000-mapping.dmp
-
memory/1172-204-0x0000000000000000-mapping.dmp
-
memory/1184-222-0x0000000000000000-mapping.dmp
-
memory/1300-174-0x0000000000000000-mapping.dmp
-
memory/1384-227-0x0000000000000000-mapping.dmp
-
memory/1400-217-0x0000000000000000-mapping.dmp
-
memory/1476-194-0x0000000000000000-mapping.dmp
-
memory/1512-211-0x0000000000000000-mapping.dmp
-
memory/1568-184-0x0000000000000000-mapping.dmp
-
memory/1612-212-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1612-189-0x0000000000000000-mapping.dmp
-
memory/1644-219-0x0000000000000000-mapping.dmp
-
memory/1672-226-0x0000000000000000-mapping.dmp
-
memory/1704-225-0x0000000000000000-mapping.dmp
-
memory/1824-209-0x0000000000000000-mapping.dmp
-
memory/2012-171-0x0000000000000000-mapping.dmp
-
memory/2012-190-0x0000000000400000-0x0000000002054000-memory.dmpFilesize
28.3MB
-
memory/2016-178-0x0000000000000000-mapping.dmp
-
memory/2220-145-0x0000000000000000-mapping.dmp
-
memory/2312-181-0x0000000000000000-mapping.dmp
-
memory/2424-221-0x0000000000000000-mapping.dmp
-
memory/2712-161-0x0000000000000000-mapping.dmp
-
memory/2996-186-0x0000000000000000-mapping.dmp
-
memory/3004-199-0x0000000000000000-mapping.dmp
-
memory/3068-206-0x0000000000000000-mapping.dmp
-
memory/3084-228-0x0000000000000000-mapping.dmp
-
memory/3188-185-0x0000000000000000-mapping.dmp
-
memory/3216-218-0x0000000000000000-mapping.dmp
-
memory/3316-183-0x0000000000000000-mapping.dmp
-
memory/3324-201-0x0000000000000000-mapping.dmp
-
memory/3328-203-0x0000000000000000-mapping.dmp
-
memory/3560-205-0x0000000000000000-mapping.dmp
-
memory/3608-177-0x0000000000000000-mapping.dmp
-
memory/3936-220-0x0000000000000000-mapping.dmp
-
memory/3984-208-0x0000000000000000-mapping.dmp
-
memory/4068-198-0x0000000000000000-mapping.dmp
-
memory/4224-200-0x0000000000000000-mapping.dmp
-
memory/4324-163-0x0000000000000000-mapping.dmp
-
memory/4360-207-0x0000000000000000-mapping.dmp
-
memory/4384-143-0x0000000000000000-mapping.dmp
-
memory/4468-157-0x0000000000400000-0x000000000051B000-memory.dmpFilesize
1.1MB
-
memory/4544-202-0x0000000000000000-mapping.dmp
-
memory/4580-223-0x0000000000000000-mapping.dmp
-
memory/4664-139-0x0000000010000000-0x0000000010023000-memory.dmpFilesize
140KB
-
memory/4688-133-0x0000000010000000-0x0000000010023000-memory.dmpFilesize
140KB
-
memory/4688-130-0x0000000000000000-mapping.dmp
-
memory/4712-165-0x0000000000000000-mapping.dmp
-
memory/4788-215-0x0000000000000000-mapping.dmp
-
memory/4972-188-0x0000000000000000-mapping.dmp
-
memory/5068-195-0x0000000000000000-mapping.dmp