Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 15:01
Static task
static1
Behavioral task
behavioral1
Sample
fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe
Resource
win7-20220812-en
General
-
Target
fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe
-
Size
596KB
-
MD5
7b5d98a0cf55c5eaa4bc63fe8d7e6a10
-
SHA1
7a34dad68990aa38a00c70bcb97957d9ef34ff4c
-
SHA256
fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec
-
SHA512
7457bf2f7aea03e7f169f4e66f5c2ff9246c1822414eef61bd842ce10f0d467da7c5a988171c01c01c3ecfea64e79bd4e479e937ecb58a0d638e168b6300fe45
-
SSDEEP
1536:4NpvWWnptijPYacUi++txzAfZaIAT4BJ9fE435ORouD0M/odpmjTku6s:4NpvZ2YaLintxzEaIS4BJ9Ma5OJ/o6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List CD06B5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe = "C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe:*:Enabled:@xpsp2res.dll,-57951861" CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications CD06B5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List CD06B5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe = "C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe:*:Enabled:@xpsp2res.dll,-70554750" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe = "C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe:*:Enabled:@xpsp2res.dll,-53342401" CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CD06B5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe = "C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe:*:Enabled:@xpsp2res.dll,-28956246" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CD06B5.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications CD06B5.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" CD06B5.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" CD06B5.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CD06B5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" CD06B5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" CD06B5.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CD06B5.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts CD06B5.exe -
Executes dropped EXE 2 IoCs
pid Process 1972 CD06B5.exe 1260 CD06B5.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navdx.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpcmap.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieBITS.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scvhosl.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwservice.exe CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\Debugger = "\"C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe\"" CD06B5.exe -
resource yara_rule behavioral2/memory/1812-135-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1812-137-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1812-138-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1812-141-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1812-146-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1260-156-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1260-157-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe CD06B5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CD06B5.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe" CD06B5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\EE0DB28D63E64960\\CD06B5.exe" CD06B5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CD06B5.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 864 set thread context of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 1972 set thread context of 1260 1972 CD06B5.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Sound CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Sound\Beep = "no" CD06B5.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" CD06B5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://w777v4l0930rrj9.directorio-w.com" CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://5h2jlf0k985hj5n.directorio-w.com" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://1dwoxe3mbb592n3.directorio-w.com" CD06B5.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://227570sprz095rn.directorio-w.com" CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://7dhj7j60x9c35s5.directorio-w.com" CD06B5.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Download CD06B5.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main CD06B5.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://fh8aceml82k2m9x.directorio-w.com" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://8abc0m0lj3q3g82.directorio-w.com" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://357mfb0n1i7qa46.directorio-w.com" CD06B5.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://aycw2ap10hif0pr.directorio-w.com" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://62x06278a26h3v3.directorio-w.com" CD06B5.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https CD06B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" CD06B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" CD06B5.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1260 CD06B5.exe 1260 CD06B5.exe 1260 CD06B5.exe 1260 CD06B5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1260 CD06B5.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 1812 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 1972 CD06B5.exe 1260 CD06B5.exe 1260 CD06B5.exe 1260 CD06B5.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 864 wrote to memory of 1812 864 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 84 PID 1812 wrote to memory of 1972 1812 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 85 PID 1812 wrote to memory of 1972 1812 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 85 PID 1812 wrote to memory of 1972 1812 fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe 85 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 PID 1972 wrote to memory of 1260 1972 CD06B5.exe 86 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" CD06B5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" CD06B5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe"C:\Users\Admin\AppData\Local\Temp\fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe"C:\Users\Admin\AppData\Local\Temp\fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe"C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe" 9014DCD83⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe"C:\Users\Admin\EE0DB28D63E64960\CD06B5.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1260
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
596KB
MD57b5d98a0cf55c5eaa4bc63fe8d7e6a10
SHA17a34dad68990aa38a00c70bcb97957d9ef34ff4c
SHA256fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec
SHA5127457bf2f7aea03e7f169f4e66f5c2ff9246c1822414eef61bd842ce10f0d467da7c5a988171c01c01c3ecfea64e79bd4e479e937ecb58a0d638e168b6300fe45
-
Filesize
596KB
MD57b5d98a0cf55c5eaa4bc63fe8d7e6a10
SHA17a34dad68990aa38a00c70bcb97957d9ef34ff4c
SHA256fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec
SHA5127457bf2f7aea03e7f169f4e66f5c2ff9246c1822414eef61bd842ce10f0d467da7c5a988171c01c01c3ecfea64e79bd4e479e937ecb58a0d638e168b6300fe45
-
Filesize
596KB
MD57b5d98a0cf55c5eaa4bc63fe8d7e6a10
SHA17a34dad68990aa38a00c70bcb97957d9ef34ff4c
SHA256fc6d5302c10f5633be2df9b214b45ef4adc454f9dfb934bbd361bc03a405e4ec
SHA5127457bf2f7aea03e7f169f4e66f5c2ff9246c1822414eef61bd842ce10f0d467da7c5a988171c01c01c3ecfea64e79bd4e479e937ecb58a0d638e168b6300fe45