Analysis Overview
SHA256
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
Threat Level: Known bad
The file ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
Executes dropped EXE
UPX packed file
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Drops startup file
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
NTFS ADS
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-21 06:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-21 06:56
Reported
2022-10-21 15:46
Platform
win7-20220812-en
Max time kernel
88s
Max time network
45s
Command Line
Signatures
CyberGate, Rebhip
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\instaII\jnstaII.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\instaII\jnstaII.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 436 | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\winlogon.exe:ZONE.identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe:ZONE.identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
"C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe":ZONE.identifier & exit
C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\winlogon.exe":ZONE.identifier & exit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe" C:\Users\Admin\AppData\Roaming\winlogon.exe -keyhide x -prochide 436 -reg C:\Users\Admin\AppData\Roaming\winlogon.exe -proc 436 C:\Users\Admin\AppData\Roaming\winlogon.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
Files
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmp
memory/1648-55-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1648-56-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1648-57-0x0000000000126000-0x0000000000137000-memory.dmp
memory/1648-58-0x0000000000126000-0x0000000000137000-memory.dmp
memory/848-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
| MD5 | 5f061ef92a483c6a169dd6cc3afc7010 |
| SHA1 | f3622209435408b0ebf4b44e8b4b24fd787c4a2f |
| SHA256 | ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 |
| SHA512 | b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98 |
memory/1700-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\winlogon.exe
| MD5 | 5f061ef92a483c6a169dd6cc3afc7010 |
| SHA1 | f3622209435408b0ebf4b44e8b4b24fd787c4a2f |
| SHA256 | ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 |
| SHA512 | b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98 |
memory/1648-64-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1648-65-0x0000000000126000-0x0000000000137000-memory.dmp
memory/1700-66-0x0000000002026000-0x0000000002037000-memory.dmp
memory/1700-67-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1700-68-0x0000000002026000-0x0000000002037000-memory.dmp
memory/1700-69-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1404-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\winlogon.exe
| MD5 | 5f061ef92a483c6a169dd6cc3afc7010 |
| SHA1 | f3622209435408b0ebf4b44e8b4b24fd787c4a2f |
| SHA256 | ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 |
| SHA512 | b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98 |
memory/436-73-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-72-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-77-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-80-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-83-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-75-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-88-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-85-0x0000000000400000-0x000000000044B000-memory.dmp
memory/436-90-0x0000000000409860-mapping.dmp
memory/436-92-0x0000000000400000-0x000000000044B000-memory.dmp
memory/560-94-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | a924e94db92303770895aa393798e68e |
| SHA1 | 3c12d5efbd4380303eb737e055513cbe699a2d84 |
| SHA256 | 8d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b |
| SHA512 | 6452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69 |
C:\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | a924e94db92303770895aa393798e68e |
| SHA1 | 3c12d5efbd4380303eb737e055513cbe699a2d84 |
| SHA256 | 8d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b |
| SHA512 | 6452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69 |
memory/1700-96-0x0000000002026000-0x0000000002037000-memory.dmp
C:\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | a924e94db92303770895aa393798e68e |
| SHA1 | 3c12d5efbd4380303eb737e055513cbe699a2d84 |
| SHA256 | 8d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b |
| SHA512 | 6452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69 |
memory/1700-98-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/436-100-0x0000000000400000-0x000000000044B000-memory.dmp
memory/560-99-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmp
memory/436-103-0x0000000010410000-0x0000000010481000-memory.dmp
memory/1372-106-0x0000000010410000-0x0000000010481000-memory.dmp
memory/1928-109-0x0000000000000000-mapping.dmp
memory/1928-111-0x0000000074A21000-0x0000000074A23000-memory.dmp
memory/436-112-0x0000000010490000-0x0000000010501000-memory.dmp
memory/1928-117-0x0000000010490000-0x0000000010501000-memory.dmp
C:\Windows\SysWOW64\instaII\jnstaII.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 700c5832083c6017f83b226b4ce46b84 |
| SHA1 | 0f64a7c2461b3728191e26a698612e3c134dbd5a |
| SHA256 | 4e324d714f1a9cc9aa6022cd081a873d862f28c58fe04bab7a49cd3973b8f890 |
| SHA512 | 56ad3d708ba60c0da1abd81d2791c9592de90f7e9461d4825f42192f32104ffac9d8867ae62ffb4dd6049a857eef519516264da7b7cc76b61a8a0a67fb7b58cf |
memory/1928-120-0x0000000010490000-0x0000000010501000-memory.dmp
memory/560-101-0x000007FEF2510000-0x000007FEF35A6000-memory.dmp
memory/436-122-0x0000000010510000-0x0000000010581000-memory.dmp
memory/1100-126-0x0000000000000000-mapping.dmp
memory/560-128-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
memory/436-130-0x0000000010590000-0x0000000010601000-memory.dmp
memory/1100-135-0x0000000010590000-0x0000000010601000-memory.dmp
memory/560-136-0x0000000002056000-0x0000000002075000-memory.dmp
memory/1100-137-0x0000000010590000-0x0000000010601000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-21 06:56
Reported
2022-10-21 15:46
Platform
win10v2004-20220812-en
Max time kernel
115s
Max time network
105s
Command Line
Signatures
CyberGate, Rebhip
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\csrss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\instaII\jnstaII.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\instaII\\jnstaII.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\instaII\jnstaII.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\instaII\jnstaII.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2080 set thread context of 628 | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe:ZONE.identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\winlogon.exe:ZONE.identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\winlogon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
"C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe":ZONE.identifier & exit
C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\winlogon.exe":ZONE.identifier & exit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe" C:\Users\Admin\AppData\Roaming\winlogon.exe -keyhide x -prochide 628 -reg C:\Users\Admin\AppData\Roaming\winlogon.exe -proc 628 C:\Users\Admin\AppData\Roaming\winlogon.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\instaII\jnstaII.exe
"C:\Windows\system32\instaII\jnstaII.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| IE | 13.69.239.72:443 | tcp |
Files
memory/2004-132-0x0000000075440000-0x00000000759F1000-memory.dmp
memory/2004-133-0x0000000075440000-0x00000000759F1000-memory.dmp
memory/2508-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
| MD5 | 5f061ef92a483c6a169dd6cc3afc7010 |
| SHA1 | f3622209435408b0ebf4b44e8b4b24fd787c4a2f |
| SHA256 | ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 |
| SHA512 | b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98 |
memory/2080-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\winlogon.exe
| MD5 | 5f061ef92a483c6a169dd6cc3afc7010 |
| SHA1 | f3622209435408b0ebf4b44e8b4b24fd787c4a2f |
| SHA256 | ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 |
| SHA512 | b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98 |
memory/2004-138-0x0000000075440000-0x00000000759F1000-memory.dmp
memory/2080-139-0x0000000075440000-0x00000000759F1000-memory.dmp
memory/2080-140-0x0000000075440000-0x00000000759F1000-memory.dmp
memory/4608-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\winlogon.exe
| MD5 | 5f061ef92a483c6a169dd6cc3afc7010 |
| SHA1 | f3622209435408b0ebf4b44e8b4b24fd787c4a2f |
| SHA256 | ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05 |
| SHA512 | b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98 |
memory/628-143-0x0000000000000000-mapping.dmp
memory/628-144-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-145-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-147-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-149-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-150-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-151-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-153-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-154-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-156-0x0000000010410000-0x0000000010481000-memory.dmp
memory/4788-160-0x0000000000000000-mapping.dmp
memory/628-161-0x0000000000400000-0x000000000044B000-memory.dmp
memory/628-162-0x0000000010490000-0x0000000010501000-memory.dmp
memory/4788-165-0x0000000010490000-0x0000000010501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 700c5832083c6017f83b226b4ce46b84 |
| SHA1 | 0f64a7c2461b3728191e26a698612e3c134dbd5a |
| SHA256 | 4e324d714f1a9cc9aa6022cd081a873d862f28c58fe04bab7a49cd3973b8f890 |
| SHA512 | 56ad3d708ba60c0da1abd81d2791c9592de90f7e9461d4825f42192f32104ffac9d8867ae62ffb4dd6049a857eef519516264da7b7cc76b61a8a0a67fb7b58cf |
C:\Windows\SysWOW64\instaII\jnstaII.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
C:\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | a924e94db92303770895aa393798e68e |
| SHA1 | 3c12d5efbd4380303eb737e055513cbe699a2d84 |
| SHA256 | 8d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b |
| SHA512 | 6452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69 |
C:\Users\Admin\AppData\Roaming\csrss.exe
| MD5 | a924e94db92303770895aa393798e68e |
| SHA1 | 3c12d5efbd4380303eb737e055513cbe699a2d84 |
| SHA256 | 8d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b |
| SHA512 | 6452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69 |
memory/4864-168-0x0000000000000000-mapping.dmp
memory/4788-171-0x0000000010490000-0x0000000010501000-memory.dmp
memory/2080-172-0x0000000075440000-0x00000000759F1000-memory.dmp
memory/628-174-0x0000000010510000-0x0000000010581000-memory.dmp
memory/2432-178-0x0000000000000000-mapping.dmp
memory/4432-179-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\instaII\jnstaII.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/628-181-0x0000000010590000-0x0000000010601000-memory.dmp
memory/4432-184-0x0000000010590000-0x0000000010601000-memory.dmp