205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

Analysis

max time kernel
93s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Size

9.5MB
MD5

0ec29d2e49bae6f922b735be7259d3cc
SHA1

0a806b4918388a56e877ca92559d15725df439f2
SHA256

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60
SHA512

486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

17D56CD9.EXE8DAAA769.EXE17D56CD9.EXE

pid process

3448 17D56CD9.EXE
4432 8DAAA769.EXE
1396 17D56CD9.EXE

pid	process
3448	17D56CD9.EXE
4432	8DAAA769.EXE
1396	17D56CD9.EXE

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17D56CD9.EXE8DAAA769.EXE17D56CD9.EXE205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	17D56CD9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8DAAA769.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8DAAA769.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	17D56CD9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	17D56CD9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	17D56CD9.EXE

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	17D56CD9.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	8DAAA769.EXE

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE17D56CD9.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine	17D56CD9.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine	17D56CD9.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

8DAAA769.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8DAAA769.EXE
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

8DAAA769.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 8DAAA769.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8DAAA769.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	8DAAA769.EXE

Drops file in System32 directory 2 IoCs

Processes:

8DAAA769.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\libcrypto-1_1.dll	8DAAA769.EXE
File opened for modification	C:\Windows\SysWOW64\libcrypto-1_1.dll	8DAAA769.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE17D56CD9.EXE

pid process

2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
3448 17D56CD9.EXE
4432 8DAAA769.EXE
1396 17D56CD9.EXE

Drops file in Windows directory 64 IoCs

Processes:

8DAAA769.EXE17D56CD9.EXE

description	ioc	process
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-11FFA705.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-99F89D15.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\COMPPKGSRV.EXE-21DBED9C.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SEARCHAPP.EXE-840F7E5A.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-D217A328.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-570206E5.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\MSEDGE.EXE-78F14B8D.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace2.fx	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\Op-MSEDGE.EXE-78F14B85-00000001.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-EDE0F878.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot	17D56CD9.EXE
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\ResPriHMStaticDb.ebd	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-21A1C618.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\AgRobust.db	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-72C0C855.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	8DAAA769.EXE
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf	8DAAA769.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

17D56CD9.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	17D56CD9.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	17D56CD9.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE17D56CD9.EXE

pid	process
2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
3448	17D56CD9.EXE
3448	17D56CD9.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8DAAA769.EXE17D56CD9.EXE

description pid process

Token: SeDebugPrivilege 4432 8DAAA769.EXE
Token: SeDebugPrivilege 1396 17D56CD9.EXE
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

8DAAA769.EXE17D56CD9.EXE

pid process

4432 8DAAA769.EXE
4432 8DAAA769.EXE
4432 8DAAA769.EXE
4432 8DAAA769.EXE
1396 17D56CD9.EXE
1396 17D56CD9.EXE
1396 17D56CD9.EXE
1396 17D56CD9.EXE
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

8DAAA769.EXE17D56CD9.EXE

pid process

4432 8DAAA769.EXE
4432 8DAAA769.EXE
4432 8DAAA769.EXE
4432 8DAAA769.EXE
1396 17D56CD9.EXE
1396 17D56CD9.EXE
1396 17D56CD9.EXE
1396 17D56CD9.EXE

description	pid	process
Token: SeDebugPrivilege	4432	8DAAA769.EXE
Token: SeDebugPrivilege	1396	17D56CD9.EXE

pid	process
4432	8DAAA769.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE

pid	process
4432	8DAAA769.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE17D56CD9.EXE

pid	process
2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
3448	17D56CD9.EXE
3448	17D56CD9.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
4432	8DAAA769.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE
1396	17D56CD9.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE

description	pid	process	target process
PID 2588 wrote to memory of 2580	2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2588 wrote to memory of 2580	2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2588 wrote to memory of 2580	2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	sc.exe
PID 2588 wrote to memory of 3448	2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	17D56CD9.EXE
PID 2588 wrote to memory of 3448	2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	17D56CD9.EXE
PID 2588 wrote to memory of 3448	2588	205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe	17D56CD9.EXE
PID 3448 wrote to memory of 4308	3448	17D56CD9.EXE	sc.exe
PID 3448 wrote to memory of 4308	3448	17D56CD9.EXE	sc.exe
PID 3448 wrote to memory of 4308	3448	17D56CD9.EXE	sc.exe
PID 3448 wrote to memory of 4432	3448	17D56CD9.EXE	8DAAA769.EXE
PID 3448 wrote to memory of 4432	3448	17D56CD9.EXE	8DAAA769.EXE
PID 3448 wrote to memory of 4432	3448	17D56CD9.EXE	8DAAA769.EXE
PID 4432 wrote to memory of 1396	4432	8DAAA769.EXE	17D56CD9.EXE
PID 4432 wrote to memory of 1396	4432	8DAAA769.EXE	17D56CD9.EXE
PID 4432 wrote to memory of 1396	4432	8DAAA769.EXE	17D56CD9.EXE

C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
"C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config Winmgmt start=auto
2⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE
"C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE" C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe config Winmgmt start=auto
3⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE
"C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE
"C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE" C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
876bb087b3eb935a4da2e5e7b74dc034

SHA1
3a4887eefbec2a9c06fac1f54ac0e91d96878e15

SHA256
0b332fabb7d73fba30142fb2a062431ac432bd49fbf7bd71416b00a368770e64

SHA512
98fdf68279a4eb3b26e0fdab0ed19a516d6ceab3e809b3dff0a770238e18b83963e510368a326f0ab87fd669bfaeceb2e395b246aed1f1bcaba8a882487fd4a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885
Filesize
472B

MD5
e67f07efe64e042f3d0002b701b185c1

SHA1
76c83ee5886c59f4b9c921afc01687534cdbe397

SHA256
b0aa13e6d7b664cdf7129fda741441dfe9d93d09dd2347efa69e36e4c0687b3e

SHA512
e2f24cd78d0671495dacb2d76e81cd1d63abf177cfb5abd870ae4d44921c1ecf986c7b6fdebf922b2b694807c93f34bc967a1ae858d6595f0969276d23a6e0f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
7cbbea9199daff048104997684cc0e85

SHA1
ba8c990009594ba0c19441bd7df95ebdb1c80798

SHA256
f4d72d42a153a4338cc63a5cabd8efee52a76e4bf78c439a7cfa584159a65000

SHA512
3947ff6d8a86684af1b243b881cd4393b42664c6e4317ba4b290eddd424c1a18ec401705f27f2e7b8039bb198b269ca05bee8d99f37f8241f1455c2accbd2b2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
7272fbd0ca2672929512a20fd667952b

SHA1
9f61dcd800d5cc877fb9c059bc349c41c406fd5b

SHA256
3011f1c8727062351572f5d8bfcde394882a9f43bcb39280d24edea21d259a17

SHA512
357a759faf538f3e1e9249234b96ddeb5b0a6e8d383e4d0dfed398c4bbe09bd3bd9ec5f189005751dc38f05dc402f018a3f008630635fbd6273b5052d19d8cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885
Filesize
406B

MD5
4701054224bdbf49bc8b75f8132dba28

SHA1
e202e5dfe482f6e39306447dc57e5b96cde9ba20

SHA256
b85a39e29da8d288a381c643cb7cfad9cc2a33d531e61bcf0db1963b26720b0a

SHA512
e29c744f0ce392e8ec609828b2e634ae4f32a162c3b3ec51e7cea2c287c3d58273206836f69d3acb7607154bcbee51a120a2879ff2a74084133845c6b52fe30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE
Filesize
7.0MB

MD5
7ec4a713694d351a0a8cb0bace19be2f

SHA1
de0da87dff6f4563b0e716c5533231e58c844a40

SHA256
7ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806

SHA512
9ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE
Filesize
7.0MB

MD5
7ec4a713694d351a0a8cb0bace19be2f

SHA1
de0da87dff6f4563b0e716c5533231e58c844a40

SHA256
7ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806

SHA512
9ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE
Filesize
9.5MB

MD5
0ec29d2e49bae6f922b735be7259d3cc

SHA1
0a806b4918388a56e877ca92559d15725df439f2

SHA256
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

SHA512
486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE
Filesize
9.5MB

MD5
0ec29d2e49bae6f922b735be7259d3cc

SHA1
0a806b4918388a56e877ca92559d15725df439f2

SHA256
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60

SHA512
486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE
Filesize
7.5MB

MD5
d17fedcbd09fb98051fcf96da18a8aac

SHA1
6a523cff8b733d02ad9f65028b994fdc470897c8

SHA256
ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7

SHA512
23d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE
Filesize
7.5MB

MD5
d17fedcbd09fb98051fcf96da18a8aac

SHA1
6a523cff8b733d02ad9f65028b994fdc470897c8

SHA256
ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7

SHA512
23d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095

Download Submit
C:\Windows\SysWOW64\libcrypto-1_1.dll
Filesize
2.4MB

MD5
c58b2589b88c5da34df20f737b7ac50c

SHA1
05ed6edafd5342b546fb5d5a6162695f11f5d4da

SHA256
49b26d14cf68a370de47f8f3724e46e61bff98aba7dd7b8a7c1f87e83bb44064

SHA512
4e2db4133fdb69dcc7a03201810b10cf9519dd7cdea8ff3fc496779d84556502cdb562d67f60a0503493705b622d1cb772fc9acb4935aa4fb6a6cbdf7b4b211f

Download Submit
memory/1396-170-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-178-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-189-0x0000000000400000-0x000000000111B000-memory.dmp

Filesize
13.1MB

Download
memory/1396-185-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/1396-182-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-161-0x0000000000000000-mapping.dmp

Download
memory/1396-169-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-181-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-171-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-173-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-174-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-175-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-172-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-176-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-177-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-180-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1396-179-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2580-135-0x0000000000000000-mapping.dmp

Download
memory/2588-130-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/2588-134-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/3448-136-0x0000000000000000-mapping.dmp

Download
memory/3448-142-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/3448-143-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/4308-144-0x0000000000000000-mapping.dmp

Download
memory/4432-148-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/4432-151-0x0000000000401000-0x00000000004A4000-memory.dmp

Filesize
652KB

Download
memory/4432-156-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/4432-145-0x0000000000000000-mapping.dmp

Download
memory/4432-150-0x0000000000400000-0x00000000015C0000-memory.dmp

Filesize
17.8MB

Download
memory/4432-149-0x0000000000400000-0x00000000015C0000-memory.dmp

Filesize
17.8MB

Download