Analysis
-
max time kernel
153s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
Resource
win7-20220414-en
General
-
Target
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
-
Size
8.0MB
-
MD5
003663017d3ef845190636d56c4477fb
-
SHA1
fc8967e75ea99849ee703c262df58301933a89d7
-
SHA256
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827
-
SHA512
15ebd16f8f64fe0a57a1bf819653817363a5bbcc665839e4f5dd0819204f502009bda12e938d3cf8f368c84a0b26b4a892f2c9f5fe9546f97fc80ab937c306b1
Malware Config
Extracted
quasar
1.3.0.0
trade
wrz.ddns.net:5700
QSR_MUTEX_HQ4Y5Dn1t3ivwyhc79
-
encryption_key
jlIbt3DTqIrhsELlJ19e
-
install_name
swctlsrv.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
microsoft_update_tool
-
subdirectory
SubDir
Signatures
-
Quasar Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-77-0x0000000000AD0000-0x0000000000E88000-memory.dmp family_quasar behavioral1/memory/1796-79-0x0000000000AD0000-0x0000000000E88000-memory.dmp family_quasar behavioral1/memory/1544-94-0x00000000008D0000-0x0000000000C88000-memory.dmp family_quasar behavioral1/memory/1544-95-0x00000000008D0000-0x0000000000C88000-memory.dmp family_quasar behavioral1/memory/1544-96-0x0000000077300000-0x0000000077480000-memory.dmp family_quasar behavioral1/memory/1312-123-0x00000000008D0000-0x0000000000C88000-memory.dmp family_quasar behavioral1/memory/1312-124-0x00000000008D0000-0x0000000000C88000-memory.dmp family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 9 IoCs
Processes:
syshost.exesvchst.exeswchst.exeswctlsrv.execmifw.execmifw.exeswctlsrv.execmifw.execmifw.exepid process 748 syshost.exe 1712 svchst.exe 1796 swchst.exe 1544 swctlsrv.exe 1296 cmifw.exe 1672 cmifw.exe 1312 swctlsrv.exe 1028 cmifw.exe 1752 cmifw.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
syshost.exesvchst.exeswctlsrv.execmifw.execmifw.exeswchst.exeswctlsrv.execmifw.execmifw.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion syshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion syshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion swctlsrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion swchst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion swchst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion swctlsrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion swctlsrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion swctlsrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cmifw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cmifw.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1824 cmd.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
swctlsrv.execmifw.execmifw.execmifw.exesyshost.exeswchst.exeswctlsrv.exesvchst.execmifw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine swctlsrv.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine cmifw.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine cmifw.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine cmifw.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine syshost.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine swchst.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine swctlsrv.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine svchst.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine cmifw.exe -
Loads dropped DLL 9 IoCs
Processes:
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exeswchst.exeWerFault.exepid process 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe 1796 swchst.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 428 icacls.exe 564 icacls.exe 2004 icacls.exe -
Processes:
swctlsrv.execmifw.exesvchst.exeswctlsrv.execmifw.execmifw.exesyshost.exeswchst.execmifw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA swctlsrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmifw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchst.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA swctlsrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmifw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmifw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA syshost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA swchst.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmifw.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
swctlsrv.exesyshost.exeswchst.exeswctlsrv.exedescription ioc process File opened for modification \??\PhysicalDrive0 swctlsrv.exe File opened for modification \??\PhysicalDrive0 syshost.exe File opened for modification \??\PhysicalDrive0 swchst.exe File opened for modification \??\PhysicalDrive0 swctlsrv.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1712-80-0x00000000010A0000-0x000000000149D000-memory.dmp autoit_exe behavioral1/memory/1672-107-0x0000000001150000-0x000000000154D000-memory.dmp autoit_exe behavioral1/memory/1296-106-0x0000000001150000-0x000000000154D000-memory.dmp autoit_exe behavioral1/memory/1312-122-0x0000000077300000-0x0000000077480000-memory.dmp autoit_exe behavioral1/memory/1028-130-0x0000000001150000-0x000000000154D000-memory.dmp autoit_exe behavioral1/memory/1752-136-0x0000000001150000-0x000000000154D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
syshost.exesvchst.exeswchst.exeswctlsrv.execmifw.execmifw.exeswctlsrv.execmifw.execmifw.exepid process 748 syshost.exe 1712 svchst.exe 1796 swchst.exe 1544 swctlsrv.exe 1296 cmifw.exe 1672 cmifw.exe 1312 swctlsrv.exe 1028 cmifw.exe 1752 cmifw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1548 1544 WerFault.exe swctlsrv.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1656 schtasks.exe 1828 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 812 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
syshost.exesvchst.exeswchst.exeswctlsrv.execmifw.execmifw.exepid process 748 syshost.exe 1712 svchst.exe 1796 swchst.exe 1544 swctlsrv.exe 1296 cmifw.exe 1672 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe 1296 cmifw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
swchst.exeswctlsrv.exedescription pid process Token: SeDebugPrivilege 1796 swchst.exe Token: SeDebugPrivilege 1544 swctlsrv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
swctlsrv.exepid process 1544 swctlsrv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.execmd.exesvchst.execmd.exeswchst.exeswctlsrv.exetaskeng.execmd.exedescription pid process target process PID 1296 wrote to memory of 748 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe syshost.exe PID 1296 wrote to memory of 748 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe syshost.exe PID 1296 wrote to memory of 748 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe syshost.exe PID 1296 wrote to memory of 748 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe syshost.exe PID 1296 wrote to memory of 1712 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe svchst.exe PID 1296 wrote to memory of 1712 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe svchst.exe PID 1296 wrote to memory of 1712 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe svchst.exe PID 1296 wrote to memory of 1712 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe svchst.exe PID 1296 wrote to memory of 1796 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe swchst.exe PID 1296 wrote to memory of 1796 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe swchst.exe PID 1296 wrote to memory of 1796 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe swchst.exe PID 1296 wrote to memory of 1796 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe swchst.exe PID 1296 wrote to memory of 1824 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe cmd.exe PID 1296 wrote to memory of 1824 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe cmd.exe PID 1296 wrote to memory of 1824 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe cmd.exe PID 1296 wrote to memory of 1824 1296 f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe cmd.exe PID 1824 wrote to memory of 812 1824 cmd.exe timeout.exe PID 1824 wrote to memory of 812 1824 cmd.exe timeout.exe PID 1824 wrote to memory of 812 1824 cmd.exe timeout.exe PID 1824 wrote to memory of 812 1824 cmd.exe timeout.exe PID 1712 wrote to memory of 1168 1712 svchst.exe cmd.exe PID 1712 wrote to memory of 1168 1712 svchst.exe cmd.exe PID 1712 wrote to memory of 1168 1712 svchst.exe cmd.exe PID 1712 wrote to memory of 1168 1712 svchst.exe cmd.exe PID 1168 wrote to memory of 428 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 428 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 428 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 428 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 564 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 564 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 564 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 564 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 2004 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 2004 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 2004 1168 cmd.exe icacls.exe PID 1168 wrote to memory of 2004 1168 cmd.exe icacls.exe PID 1796 wrote to memory of 1656 1796 swchst.exe schtasks.exe PID 1796 wrote to memory of 1656 1796 swchst.exe schtasks.exe PID 1796 wrote to memory of 1656 1796 swchst.exe schtasks.exe PID 1796 wrote to memory of 1656 1796 swchst.exe schtasks.exe PID 1796 wrote to memory of 1544 1796 swchst.exe swctlsrv.exe PID 1796 wrote to memory of 1544 1796 swchst.exe swctlsrv.exe PID 1796 wrote to memory of 1544 1796 swchst.exe swctlsrv.exe PID 1796 wrote to memory of 1544 1796 swchst.exe swctlsrv.exe PID 1544 wrote to memory of 1828 1544 swctlsrv.exe schtasks.exe PID 1544 wrote to memory of 1828 1544 swctlsrv.exe schtasks.exe PID 1544 wrote to memory of 1828 1544 swctlsrv.exe schtasks.exe PID 1544 wrote to memory of 1828 1544 swctlsrv.exe schtasks.exe PID 1620 wrote to memory of 1296 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1296 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1296 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1296 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1672 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1672 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1672 1620 taskeng.exe cmifw.exe PID 1620 wrote to memory of 1672 1620 taskeng.exe cmifw.exe PID 1544 wrote to memory of 560 1544 swctlsrv.exe cmd.exe PID 1544 wrote to memory of 560 1544 swctlsrv.exe cmd.exe PID 1544 wrote to memory of 560 1544 swctlsrv.exe cmd.exe PID 1544 wrote to memory of 560 1544 swctlsrv.exe cmd.exe PID 560 wrote to memory of 1036 560 cmd.exe chcp.com PID 560 wrote to memory of 1036 560 cmd.exe chcp.com PID 560 wrote to memory of 1036 560 cmd.exe chcp.com PID 560 wrote to memory of 1036 560 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe"C:\Users\Admin\AppData\Local\Temp\f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\syshost.exeC:\Users\Admin\AppData\Roaming\syshost.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\svchst.exeC:\Users\Admin\AppData\Roaming\svchst.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "Admin:(R,REA,RA,RD)"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Roaming\swchst.exeC:\Users\Admin\AppData\Roaming\swchst.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "microsoft_update_tool" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\swchst.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe"C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "microsoft_update_tool" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MoOc6hmu6xeP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe"C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 15724⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\F92A19~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\F92A19~1.EXE" exit)2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {4D5D4EDD-628A-4575-BF3C-2BC14EE8D488} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mntempFilesize
16B
MD5723d8391974df8e696604e614b4ee920
SHA1aa526cf27940b598b6a8ba4a5464fa2c0f85c55f
SHA256b42a23871cf89b0bc1c8878bc3c001b0ebd95cd1f658579c09d9395bc901f38c
SHA5127348cb81f8711222ab37d07e970dd804ddc46e1f44bc0a9056361f89bd460ada312791a602e8786b3988d332ae6dbe8c65a849f9d433b931334633b8e28beecf
-
C:\Users\Admin\AppData\Local\Temp\MoOc6hmu6xeP.batFilesize
209B
MD58bdf75a1f1ab8a1529d790b3df033562
SHA1a9c653b0e14248bd9ba8de3407c8449c7e8a0439
SHA256677eef11db8f91a8edb2427b2ec922f2ccc31330c07d427e23acbbf2d7ee64fd
SHA512e3e7fada22b8ab1ee66a2558f4c582846d69803158f4d60c4e58bafe540e3dff499a35e401056ab81ae1e047387474a5041406f71db9b34b13c49386b263c934
-
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
C:\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
C:\Users\Admin\AppData\Roaming\svchst.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
C:\Users\Admin\AppData\Roaming\svchst.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
C:\Users\Admin\AppData\Roaming\swchst.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
C:\Users\Admin\AppData\Roaming\swchst.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
C:\Users\Admin\AppData\Roaming\syshost.exeFilesize
1.6MB
MD5eed9348f0146e0b4c4d6f54cc98cfd0e
SHA1ffdf9491b21e3fed32ae90aa1e594934e1fbd339
SHA2561fe17e478f59195cec8ade2f79596aeff8930a3f575a8d9ad7a48306a817082e
SHA512eb8a57d6d8a25ac0aa90dad6716a632cec03eb0be7eb25c1c210e5c0eb59e415513cf5895c3d91f0f1ff781c175f941670a5663c045c2a7f78db173f95829705
-
C:\Users\Admin\AppData\Roaming\syshost.exeFilesize
1.6MB
MD5eed9348f0146e0b4c4d6f54cc98cfd0e
SHA1ffdf9491b21e3fed32ae90aa1e594934e1fbd339
SHA2561fe17e478f59195cec8ade2f79596aeff8930a3f575a8d9ad7a48306a817082e
SHA512eb8a57d6d8a25ac0aa90dad6716a632cec03eb0be7eb25c1c210e5c0eb59e415513cf5895c3d91f0f1ff781c175f941670a5663c045c2a7f78db173f95829705
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\cmifw.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\SubDir\swctlsrv.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\svchst.exeFilesize
1.8MB
MD5703434861057ed7634a5e5ef4164cd3e
SHA10ad8fa7ba4f7b6aa04a9cf8aa6ed11145b5846ae
SHA256e780952b3dc7a7621814d4598ab82c74f60c8d7f7bd19853b3ae0756b9eb15f1
SHA51298e978874a6626ba1c64d2dd28a0df7233aed973e6b64278803ef22cd75de0fa8ad1aa094cda597f6b62b08b73253d6e4248b4fac5af2ebc5a53ec6ca409d114
-
\Users\Admin\AppData\Roaming\swchst.exeFilesize
1.6MB
MD56ffcb6f30bdb7c5f47d2b9a7cf0802d7
SHA1b3bf06b3db7f811d472ccb6026a6d45365f6d871
SHA25693db04a938ac856a671c62a0033e4334081b7ee1f039b8c7698601210ed32d9a
SHA51283c7e9276300a54099c02ab41528f5bb4458c256b59cb3589dcc5fee2f36e3da5e5417f679fef5ec0c07c48ef93be84c065cef3a195f3e69d83c35c43fa8619a
-
\Users\Admin\AppData\Roaming\syshost.exeFilesize
1.6MB
MD5eed9348f0146e0b4c4d6f54cc98cfd0e
SHA1ffdf9491b21e3fed32ae90aa1e594934e1fbd339
SHA2561fe17e478f59195cec8ade2f79596aeff8930a3f575a8d9ad7a48306a817082e
SHA512eb8a57d6d8a25ac0aa90dad6716a632cec03eb0be7eb25c1c210e5c0eb59e415513cf5895c3d91f0f1ff781c175f941670a5663c045c2a7f78db173f95829705
-
memory/428-84-0x0000000000000000-mapping.dmp
-
memory/560-108-0x0000000000000000-mapping.dmp
-
memory/564-85-0x0000000000000000-mapping.dmp
-
memory/684-111-0x0000000000000000-mapping.dmp
-
memory/748-72-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/748-71-0x0000000000B40000-0x0000000000F00000-memory.dmpFilesize
3.8MB
-
memory/748-56-0x0000000000000000-mapping.dmp
-
memory/748-70-0x0000000000B40000-0x0000000000F00000-memory.dmpFilesize
3.8MB
-
memory/812-81-0x0000000000000000-mapping.dmp
-
memory/1028-129-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1028-130-0x0000000001150000-0x000000000154D000-memory.dmpFilesize
4.0MB
-
memory/1028-125-0x0000000000000000-mapping.dmp
-
memory/1036-110-0x0000000000000000-mapping.dmp
-
memory/1168-83-0x0000000000000000-mapping.dmp
-
memory/1296-106-0x0000000001150000-0x000000000154D000-memory.dmpFilesize
4.0MB
-
memory/1296-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1296-98-0x0000000000000000-mapping.dmp
-
memory/1312-122-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1312-124-0x00000000008D0000-0x0000000000C88000-memory.dmpFilesize
3.7MB
-
memory/1312-123-0x00000000008D0000-0x0000000000C88000-memory.dmpFilesize
3.7MB
-
memory/1312-118-0x0000000000000000-mapping.dmp
-
memory/1544-89-0x0000000000000000-mapping.dmp
-
memory/1544-96-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1544-95-0x00000000008D0000-0x0000000000C88000-memory.dmpFilesize
3.7MB
-
memory/1544-94-0x00000000008D0000-0x0000000000C88000-memory.dmpFilesize
3.7MB
-
memory/1548-112-0x0000000000000000-mapping.dmp
-
memory/1656-87-0x0000000000000000-mapping.dmp
-
memory/1672-99-0x0000000000000000-mapping.dmp
-
memory/1672-107-0x0000000001150000-0x000000000154D000-memory.dmpFilesize
4.0MB
-
memory/1712-80-0x00000000010A0000-0x000000000149D000-memory.dmpFilesize
4.0MB
-
memory/1712-59-0x0000000000000000-mapping.dmp
-
memory/1752-135-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1752-136-0x0000000001150000-0x000000000154D000-memory.dmpFilesize
4.0MB
-
memory/1752-131-0x0000000000000000-mapping.dmp
-
memory/1796-77-0x0000000000AD0000-0x0000000000E88000-memory.dmpFilesize
3.7MB
-
memory/1796-82-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1796-79-0x0000000000AD0000-0x0000000000E88000-memory.dmpFilesize
3.7MB
-
memory/1796-65-0x0000000000000000-mapping.dmp
-
memory/1824-78-0x0000000000000000-mapping.dmp
-
memory/1828-97-0x0000000000000000-mapping.dmp
-
memory/2004-86-0x0000000000000000-mapping.dmp