Analysis Overview
SHA256
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
Threat Level: Known bad
The file 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Sets file execution options in registry
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode Banner
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer Protected Mode
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-25 15:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-25 15:07
Reported
2022-07-25 17:52
Platform
win7-20220718-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7o1iy5c77a5.exe | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7o1iy5c77a5.exe\DisableExceptionChainValidation | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bbb.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Defragmenter = "C:\\ProgramData\\Registry Defragmenter\\7o1iy5c77a5.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry Defragmenter = "\"C:\\ProgramData\\Registry Defragmenter\\7o1iy5c77a5.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1668 set thread context of 1268 | N/A | C:\Users\Admin\Documents\folder name\file name.exe | C:\Users\Admin\Documents\folder name\file name.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe
"C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe"
C:\Users\Admin\Documents\folder name\file name.exe
"C:\Users\Admin\Documents\folder name\file name.exe"
C:\Users\Admin\Documents\folder name\file name.exe
"C:\Users\Admin\Documents\folder name\file name.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.microsoft.com | udp |
| US | 20.109.209.108:80 | update.microsoft.com | tcp |
| US | 8.8.8.8:53 | northwingerserverlnk.com | udp |
| US | 8.8.8.8:53 | swiftlogichostersng.com | udp |
| US | 8.8.8.8:53 | bngreenwebsolutionskis.com | udp |
| US | 8.8.8.8:53 | apxeletricalsconceptng.com | udp |
| US | 8.8.8.8:53 | glaosasgraphixsolution.com | udp |
| US | 8.8.8.8:53 | ngnativeappsncloud.com | udp |
| US | 8.8.8.8:53 | kycxinternetsolutions.com | udp |
Files
memory/1084-54-0x0000000076291000-0x0000000076293000-memory.dmp
\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
memory/1668-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
C:\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
memory/1268-61-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1268-64-0x00000000004015C6-mapping.dmp
memory/1268-67-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1268-66-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
memory/1268-69-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1268-70-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1268-71-0x00000000002F0000-0x0000000000355000-memory.dmp
memory/1268-72-0x00000000002F0000-0x0000000000355000-memory.dmp
memory/1268-74-0x00000000003F0000-0x00000000003FD000-memory.dmp
memory/1268-75-0x0000000001DD0000-0x0000000001DDC000-memory.dmp
memory/1548-76-0x0000000000000000-mapping.dmp
memory/1548-78-0x0000000074BB1000-0x0000000074BB3000-memory.dmp
memory/1268-79-0x00000000002F0000-0x0000000000355000-memory.dmp
memory/1548-80-0x0000000077670000-0x00000000777F0000-memory.dmp
memory/1548-81-0x00000000001C0000-0x00000000002FD000-memory.dmp
memory/1548-82-0x0000000000360000-0x000000000036D000-memory.dmp
memory/1548-83-0x0000000000510000-0x000000000051C000-memory.dmp
memory/1548-84-0x0000000077670000-0x00000000777F0000-memory.dmp
memory/1232-85-0x0000000002240000-0x0000000002246000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-25 15:07
Reported
2022-07-25 18:07
Platform
win10v2004-20220722-en
Max time kernel
62s
Max time network
147s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ay7y1s5goa1939q.exe | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ay7y1s5goa1939q.exe\DisableExceptionChainValidation | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "cvjssuszju.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Defragmenter = "\"C:\\ProgramData\\Registry Defragmenter\\ay7y1s5goa1939q.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Registry Defragmenter = "C:\\ProgramData\\Registry Defragmenter\\ay7y1s5goa1939q.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4892 set thread context of 3296 | N/A | C:\Users\Admin\Documents\folder name\file name.exe | C:\Users\Admin\Documents\folder name\file name.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\folder name\file name.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe
"C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe"
C:\Users\Admin\Documents\folder name\file name.exe
"C:\Users\Admin\Documents\folder name\file name.exe"
C:\Users\Admin\Documents\folder name\file name.exe
"C:\Users\Admin\Documents\folder name\file name.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1136
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.52.29:80 | microsoft.com | tcp |
Files
memory/4892-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
C:\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
memory/3296-135-0x0000000000000000-mapping.dmp
memory/3296-136-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Documents\folder name\file name.exe
| MD5 | 0f97c0600cb950fe9430023345529356 |
| SHA1 | 0464e631d06da0bc9a18a4b1b6252c436686914a |
| SHA256 | 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f |
| SHA512 | 327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da |
memory/3296-138-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3296-139-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3296-140-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3296-142-0x0000000002260000-0x00000000022C5000-memory.dmp
memory/3296-143-0x0000000002260000-0x00000000022C5000-memory.dmp
memory/3296-145-0x0000000002610000-0x000000000261D000-memory.dmp
memory/3296-146-0x00000000027D0000-0x00000000027DC000-memory.dmp
memory/2812-147-0x0000000000000000-mapping.dmp
memory/3296-148-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3296-149-0x0000000002260000-0x00000000022C5000-memory.dmp
memory/2812-150-0x00000000003B0000-0x00000000007E3000-memory.dmp
memory/2812-151-0x0000000000AF0000-0x0000000000C2D000-memory.dmp
memory/2812-152-0x0000000000FF0000-0x0000000000FFD000-memory.dmp
memory/2812-153-0x0000000000AF0000-0x0000000000C2D000-memory.dmp
memory/2812-154-0x0000000000AF0000-0x0000000000C2D000-memory.dmp