0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7

General

Target

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Size

164KB
MD5

068fc2f4824a2a23e4dce306b897e9ec
SHA1

7161a98ea46b3696d79c6a888a9c69584dca411c
SHA256

0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7
SHA512

54871706422b8b4b495864f30049ef9e6153c0b4904d2cc0a19d4de48a65c1fd5fde23b8791c4d042aa4fc7321d4794e07c677ec5305de6e9e21bafa759fa017
SSDEEP

3072:j3fkYW/5gjbnI3OkLFxD5tKdHDunqUpxwCAnuzPLqY:LMR/5gjbnI3OkLFxD5tKdHDunqIxynua

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1744 takeown.exe
1880 icacls.exe
1804 takeown.exe
944 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1744 takeown.exe
1880 icacls.exe
1804 takeown.exe
944 icacls.exe

pid	process
1744	takeown.exe
1880	icacls.exe
1804	takeown.exe
944	icacls.exe

pid	process
1744	takeown.exe
1880	icacls.exe
1804	takeown.exe
944	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsStartupHelper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe"	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	process	target process
4352	2036	WerFault.exe	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D44E7EE1-3AAE-11ED-A6C3-FE72C9E2D9C9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370037678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703232b2bbced801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000001ffd3e2331a25b45fc101af0cb76053dd3d18c4da05ac224a2a8ff618f984550000000000e8000000002000020000000f362c5dcd65c074b32c86fde523cf4f9672010c4893c78659ce18cb2924d5f3d200000002d319f5426fa3581cb60c36041b00194ed403d6fa1efe39ce216b3e0368d1ead4000000091a346955af97905e39705fdac5061074edc18a8d1b503978537ac4ce7a298f55b131f540834020d109e77db5a5ac689206ff1fd6bd80d8e31ba5db2ac041041	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000c2a89c9c5c59c525b2d97ba0ec6ca3b524e51b488713ed302244589d18abec62000000000e8000000002000020000000eb8dc56f9198722904f76531541b9d30c2c51a52a9a9f83208c4aba2d2ebcecd9000000001c071350995a579385acb4f4fed1288869ff22aca7e3396e928fe9d31e1eed7ced581b2ee3cd97bb9eeea7f55ec68a4c44c03632e32639592ea0853409e7970ae34cc2d834309041ec4ec6e704feb9d336ee5e8845b903811cf4f22d9ac966dc01fef275b1bd3c4a67c10b6edb215d8cedb51b82abeaf325e8604dd0b65cc42256735860132bc61f316efcca8281993400000003e3d2cd113d1954a65a77c39b0954af8a2361bd301f04ebb5a738ed841b4697899fa1d370b98ee2631c80e7a312c4770feab10fb79b5e9367efc9aad5b0e047c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

pid process

2036 HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

pid	process
2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exetakeown.exetakeown.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Token: SeDebugPrivilege	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
Token: SeTakeOwnershipPrivilege	1744	takeown.exe
Token: SeTakeOwnershipPrivilege	1804	takeown.exe
Token: 33	2028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2028	AUDIODG.EXE
Token: 33	2028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2028	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3304 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3304 iexplore.exe
3304 iexplore.exe
3584 IEXPLORE.EXE
3584 IEXPLORE.EXE
3584 IEXPLORE.EXE
3584 IEXPLORE.EXE

pid	process
3304	iexplore.exe

pid	process
3304	iexplore.exe
3304	iexplore.exe
3584	IEXPLORE.EXE
3584	IEXPLORE.EXE
3584	IEXPLORE.EXE
3584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1032	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1032	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1032	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 1032 wrote to memory of 1744	1032	cmd.exe	takeown.exe
PID 1032 wrote to memory of 1744	1032	cmd.exe	takeown.exe
PID 1032 wrote to memory of 1744	1032	cmd.exe	takeown.exe
PID 1032 wrote to memory of 1880	1032	cmd.exe	icacls.exe
PID 1032 wrote to memory of 1880	1032	cmd.exe	icacls.exe
PID 1032 wrote to memory of 1880	1032	cmd.exe	icacls.exe
PID 1032 wrote to memory of 1804	1032	cmd.exe	takeown.exe
PID 1032 wrote to memory of 1804	1032	cmd.exe	takeown.exe
PID 1032 wrote to memory of 1804	1032	cmd.exe	takeown.exe
PID 1032 wrote to memory of 944	1032	cmd.exe	icacls.exe
PID 1032 wrote to memory of 944	1032	cmd.exe	icacls.exe
PID 1032 wrote to memory of 944	1032	cmd.exe	icacls.exe
PID 2036 wrote to memory of 812	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 812	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 812	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1788	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1788	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1788	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1188	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1188	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1188	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 896	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 896	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 896	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 928	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 928	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 928	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1064	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1064	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1064	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1960	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1960	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1960	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1056	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1056	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1056	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	notepad.exe
PID 2036 wrote to memory of 1736	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1736	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1736	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1868	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1868	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1868	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1752	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1752	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1752	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1804	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1804	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1804	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1332	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1332	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1332	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1892	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1892	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1892	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 744	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 744	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 744	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 2012	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 2012	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 2012	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe
PID 2036 wrote to memory of 1768	2036	HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Bobik.gen-0e3c0990f00475aebe53158be9d68093947e98705aeb30020f839492b75470d7.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1880

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:944

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:812

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:1788

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:1188

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:1064

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:1960

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:928

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:1056

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mynoise.net/NoiseMachines/whiteNoiseGenerator.php?l=00180250525557999999
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3304

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3304 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2036 -s 1632
2⤵
- Program crash
PID:4352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-112-0x0000000000000000-mapping.dmp

Download
memory/472-95-0x0000000000000000-mapping.dmp

Download
memory/528-94-0x0000000000000000-mapping.dmp

Download
memory/572-101-0x0000000000000000-mapping.dmp

Download
memory/576-87-0x0000000000000000-mapping.dmp

Download
memory/664-113-0x0000000000000000-mapping.dmp

Download
memory/744-84-0x0000000000000000-mapping.dmp

Download
memory/808-108-0x0000000000000000-mapping.dmp

Download
memory/812-62-0x0000000000000000-mapping.dmp

Download
memory/816-92-0x0000000000000000-mapping.dmp

Download
memory/820-88-0x0000000000000000-mapping.dmp

Download
memory/896-68-0x0000000000000000-mapping.dmp

Download
memory/928-70-0x0000000000000000-mapping.dmp

Download
memory/944-61-0x0000000000000000-mapping.dmp

Download
memory/1028-89-0x0000000000000000-mapping.dmp

Download
memory/1032-56-0x0000000000000000-mapping.dmp

Download
memory/1056-76-0x0000000000000000-mapping.dmp

Download
memory/1064-71-0x0000000000000000-mapping.dmp

Download
memory/1076-96-0x0000000000000000-mapping.dmp

Download
memory/1188-66-0x0000000000000000-mapping.dmp

Download
memory/1228-97-0x0000000000000000-mapping.dmp

Download
memory/1248-116-0x0000000000000000-mapping.dmp

Download
memory/1332-82-0x0000000000000000-mapping.dmp

Download
memory/1360-105-0x0000000000000000-mapping.dmp

Download
memory/1380-104-0x0000000000000000-mapping.dmp

Download
memory/1472-109-0x0000000000000000-mapping.dmp

Download
memory/1496-115-0x0000000000000000-mapping.dmp

Download
memory/1504-93-0x0000000000000000-mapping.dmp

Download
memory/1620-107-0x0000000000000000-mapping.dmp

Download
memory/1628-106-0x0000000000000000-mapping.dmp

Download
memory/1632-118-0x0000000000000000-mapping.dmp

Download
memory/1668-102-0x0000000000000000-mapping.dmp

Download
memory/1736-78-0x0000000000000000-mapping.dmp

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download
memory/1752-80-0x0000000000000000-mapping.dmp

Download
memory/1756-110-0x0000000000000000-mapping.dmp

Download
memory/1768-86-0x0000000000000000-mapping.dmp

Download
memory/1784-98-0x0000000000000000-mapping.dmp

Download
memory/1788-64-0x0000000000000000-mapping.dmp

Download
memory/1804-81-0x0000000000000000-mapping.dmp

Download
memory/1804-60-0x0000000000000000-mapping.dmp

Download
memory/1808-103-0x0000000000000000-mapping.dmp

Download
memory/1812-100-0x0000000000000000-mapping.dmp

Download
memory/1844-99-0x0000000000000000-mapping.dmp

Download
memory/1852-90-0x0000000000000000-mapping.dmp

Download
memory/1856-114-0x0000000000000000-mapping.dmp

Download
memory/1868-79-0x0000000000000000-mapping.dmp

Download
memory/1880-117-0x0000000000000000-mapping.dmp

Download
memory/1880-58-0x0000000000000000-mapping.dmp

Download
memory/1884-111-0x0000000000000000-mapping.dmp

Download
memory/1888-91-0x0000000000000000-mapping.dmp

Download
memory/1892-83-0x0000000000000000-mapping.dmp

Download
memory/1960-73-0x0000000000000000-mapping.dmp

Download
memory/2012-85-0x0000000000000000-mapping.dmp

Download
memory/2036-55-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/2036-59-0x000000001B316000-0x000000001B335000-memory.dmp

Filesize
124KB

Download
memory/2036-54-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/2056-119-0x0000000000000000-mapping.dmp

Download
memory/2068-120-0x0000000000000000-mapping.dmp

Download
memory/2084-121-0x0000000000000000-mapping.dmp

Download
memory/2096-122-0x0000000000000000-mapping.dmp

Download
memory/2152-123-0x0000000000000000-mapping.dmp

Download
memory/2172-124-0x0000000000000000-mapping.dmp

Download
memory/2188-125-0x0000000000000000-mapping.dmp

Download
memory/2208-126-0x0000000000000000-mapping.dmp

Download
memory/2228-127-0x0000000000000000-mapping.dmp

Download
memory/2244-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads