Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-07-2022 06:37
Behavioral task
behavioral1
Sample
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe
Resource
win10v2004-20220414-en
General
-
Target
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe
-
Size
613KB
-
MD5
25809fc57cbbfdbc64b4c5d4e17d1d06
-
SHA1
0415083490d597fc23ddc7c6e5163ad51ee60213
-
SHA256
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786
-
SHA512
a078e118303ff225c7526a844e8b0984362e7f764a473fd3599781c432280f5ef6b00eaf6c8ed2dd08bde115e66f675795a0f6769a51fbfe1a0a5e14e3f4509a
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
s59ucg5sg3o91qu_1.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" s59ucg5sg3o91qu_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile s59ucg5sg3o91qu_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" s59ucg5sg3o91qu_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile s59ucg5sg3o91qu_1.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe -
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe cryptone C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe cryptone -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
s59ucg5sg3o91qu_1.exe7s73cw93u.exepid process 1044 s59ucg5sg3o91qu_1.exe 1952 7s73cw93u.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
explorer.exe053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bfuk.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\s59ucg5sg3o91qu.exe 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\s59ucg5sg3o91qu.exe\DisableExceptionChainValidation 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
explorer.exepid process 1004 explorer.exe 1004 explorer.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
regedit.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe\"" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
s59ucg5sg3o91qu_1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus s59ucg5sg3o91qu_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService s59ucg5sg3o91qu_1.exe -
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exes59ucg5sg3o91qu_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA s59ucg5sg3o91qu_1.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.08\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exeexplorer.exes59ucg5sg3o91qu_1.exepid process 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1044 s59ucg5sg3o91qu_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exeexplorer.exes59ucg5sg3o91qu_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 s59ucg5sg3o91qu_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString s59ucg5sg3o91qu_1.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exeregedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe:14F4FC7F explorer.exe File created C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe:14F4FC7F explorer.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 1588 regedit.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
Processes:
net.exenet.exenltest.exenltest.exenet.exechoice.exepid process 1912 net.exe 968 net.exe 1556 nltest.exe 1336 nltest.exe 1656 net.exe 1520 choice.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
explorer.exepid process 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe 1004 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exeexplorer.exes59ucg5sg3o91qu_1.exepid process 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe 1004 explorer.exe 1004 explorer.exe 1044 s59ucg5sg3o91qu_1.exe 1044 s59ucg5sg3o91qu_1.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exepid process 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exeexplorer.exes59ucg5sg3o91qu_1.exeregedit.exe7s73cw93u.exedescription pid process Token: SeDebugPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeRestorePrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeBackupPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeLoadDriverPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeCreatePagefilePrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeShutdownPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeTakeOwnershipPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeChangeNotifyPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeCreateTokenPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeMachineAccountPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeSecurityPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeAssignPrimaryTokenPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeCreateGlobalPrivilege 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: 33 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe Token: SeDebugPrivilege 1004 explorer.exe Token: SeRestorePrivilege 1004 explorer.exe Token: SeBackupPrivilege 1004 explorer.exe Token: SeLoadDriverPrivilege 1004 explorer.exe Token: SeCreatePagefilePrivilege 1004 explorer.exe Token: SeShutdownPrivilege 1004 explorer.exe Token: SeTakeOwnershipPrivilege 1004 explorer.exe Token: SeChangeNotifyPrivilege 1004 explorer.exe Token: SeCreateTokenPrivilege 1004 explorer.exe Token: SeMachineAccountPrivilege 1004 explorer.exe Token: SeSecurityPrivilege 1004 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1004 explorer.exe Token: SeCreateGlobalPrivilege 1004 explorer.exe Token: 33 1004 explorer.exe Token: SeDebugPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeRestorePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeBackupPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeLoadDriverPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreatePagefilePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeShutdownPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeTakeOwnershipPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeChangeNotifyPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreateTokenPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeMachineAccountPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeSecurityPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeAssignPrimaryTokenPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreateGlobalPrivilege 1044 s59ucg5sg3o91qu_1.exe Token: 33 1044 s59ucg5sg3o91qu_1.exe Token: SeCreatePagefilePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreatePagefilePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreatePagefilePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreatePagefilePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeCreatePagefilePrivilege 1044 s59ucg5sg3o91qu_1.exe Token: SeDebugPrivilege 1588 regedit.exe Token: SeRestorePrivilege 1588 regedit.exe Token: SeBackupPrivilege 1588 regedit.exe Token: SeLoadDriverPrivilege 1588 regedit.exe Token: SeCreatePagefilePrivilege 1588 regedit.exe Token: SeShutdownPrivilege 1588 regedit.exe Token: SeTakeOwnershipPrivilege 1588 regedit.exe Token: SeChangeNotifyPrivilege 1588 regedit.exe Token: SeCreateTokenPrivilege 1588 regedit.exe Token: SeMachineAccountPrivilege 1588 regedit.exe Token: SeSecurityPrivilege 1588 regedit.exe Token: SeAssignPrimaryTokenPrivilege 1588 regedit.exe Token: SeCreateGlobalPrivilege 1588 regedit.exe Token: SeDebugPrivilege 1952 7s73cw93u.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exes59ucg5sg3o91qu_1.exepid process 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe 1044 s59ucg5sg3o91qu_1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exeexplorer.exes59ucg5sg3o91qu_1.exe7s73cw93u.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1032 wrote to memory of 1004 1032 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe explorer.exe PID 1004 wrote to memory of 1168 1004 explorer.exe Dwm.exe PID 1004 wrote to memory of 1168 1004 explorer.exe Dwm.exe PID 1004 wrote to memory of 1168 1004 explorer.exe Dwm.exe PID 1004 wrote to memory of 1168 1004 explorer.exe Dwm.exe PID 1004 wrote to memory of 1168 1004 explorer.exe Dwm.exe PID 1004 wrote to memory of 1168 1004 explorer.exe Dwm.exe PID 1004 wrote to memory of 1200 1004 explorer.exe Explorer.EXE PID 1004 wrote to memory of 1200 1004 explorer.exe Explorer.EXE PID 1004 wrote to memory of 1200 1004 explorer.exe Explorer.EXE PID 1004 wrote to memory of 1200 1004 explorer.exe Explorer.EXE PID 1004 wrote to memory of 1200 1004 explorer.exe Explorer.EXE PID 1004 wrote to memory of 1200 1004 explorer.exe Explorer.EXE PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1004 wrote to memory of 1044 1004 explorer.exe s59ucg5sg3o91qu_1.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1044 wrote to memory of 1588 1044 s59ucg5sg3o91qu_1.exe regedit.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1004 wrote to memory of 1952 1004 explorer.exe 7s73cw93u.exe PID 1952 wrote to memory of 1560 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1560 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1560 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1560 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1560 1952 7s73cw93u.exe cmd.exe PID 1560 wrote to memory of 1912 1560 cmd.exe net.exe PID 1560 wrote to memory of 1912 1560 cmd.exe net.exe PID 1560 wrote to memory of 1912 1560 cmd.exe net.exe PID 1560 wrote to memory of 1912 1560 cmd.exe net.exe PID 1560 wrote to memory of 1912 1560 cmd.exe net.exe PID 1912 wrote to memory of 1160 1912 net.exe net1.exe PID 1912 wrote to memory of 1160 1912 net.exe net1.exe PID 1912 wrote to memory of 1160 1912 net.exe net1.exe PID 1952 wrote to memory of 1756 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1756 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1756 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1756 1952 7s73cw93u.exe cmd.exe PID 1952 wrote to memory of 1756 1952 7s73cw93u.exe cmd.exe PID 1756 wrote to memory of 968 1756 cmd.exe net.exe PID 1756 wrote to memory of 968 1756 cmd.exe net.exe PID 1756 wrote to memory of 968 1756 cmd.exe net.exe PID 1756 wrote to memory of 968 1756 cmd.exe net.exe PID 1756 wrote to memory of 968 1756 cmd.exe net.exe PID 968 wrote to memory of 1852 968 net.exe net1.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe"C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe/suac4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- UAC bypass
- Sets service image path in registry
- Adds Run key to start application
- Modifies Internet Explorer settings
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe"C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "Domain Admins" /domain5⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\net.exenet group "Domain Admins" /domain6⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain7⤵PID:1160
-
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net group "domain computers" /domain5⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\net.exenet group "domain computers" /domain6⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain computers" /domain7⤵PID:1852
-
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts /all_trusts5⤵PID:1764
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts6⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1556
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c nltest /domain_trusts5⤵PID:1692
-
C:\Windows\system32\nltest.exenltest /domain_trusts6⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1336
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c net view /all5⤵PID:1680
-
C:\Windows\system32\net.exenet view /all6⤵
- Discovers systems in the same network
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe" && /C choice /C Y /N /D Y /T 3 & Del "shfolder.dll" && Del LAG1 && Del LAG25⤵PID:1816
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1520
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
Filesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
Filesize
613KB
MD525809fc57cbbfdbc64b4c5d4e17d1d06
SHA10415083490d597fc23ddc7c6e5163ad51ee60213
SHA256053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786
SHA512a078e118303ff225c7526a844e8b0984362e7f764a473fd3599781c432280f5ef6b00eaf6c8ed2dd08bde115e66f675795a0f6769a51fbfe1a0a5e14e3f4509a
-
Filesize
10KB
MD560a1564d18f20769eb65478cc5bc56c0
SHA115ba12509eb288ed4e47162714f86777d8819976
SHA256deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110
SHA512e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71
-
Filesize
613KB
MD525809fc57cbbfdbc64b4c5d4e17d1d06
SHA10415083490d597fc23ddc7c6e5163ad51ee60213
SHA256053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786
SHA512a078e118303ff225c7526a844e8b0984362e7f764a473fd3599781c432280f5ef6b00eaf6c8ed2dd08bde115e66f675795a0f6769a51fbfe1a0a5e14e3f4509a