Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-11-2022 09:01
Behavioral task
behavioral1
Sample
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
Resource
win7-20220812-en
General
-
Target
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
-
Size
411KB
-
MD5
31b407850c3c20bed39117100dbcc552
-
SHA1
735a4acaf958402497b9e1b14ab3cb539e58889b
-
SHA256
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085
-
SHA512
40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f
-
SSDEEP
6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 6 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify = "1" regedit.exe -
Modifies boot configuration data using bcdedit 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1988 bcdedit.exe 1444 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OneDrive = "C:\\Windows\\setup\\State\\OneDrive.exe" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Disables taskbar notifications via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 1880 takeown.exe 1400 icacls.exe 1732 takeown.exe -
Registers COM server for autorun 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 572 attrib.exe 1608 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1660-81-0x000000013F220000-0x000000013F31A000-memory.dmp upx behavioral1/memory/1660-131-0x000000013F220000-0x000000013F31A000-memory.dmp upx -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "1" regedit.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1732 cmd.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 1880 takeown.exe 1400 icacls.exe 1732 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File opened (read-only) \??\D: 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1660-81-0x000000013F220000-0x000000013F31A000-memory.dmp autoit_exe behavioral1/memory/1660-131-0x000000013F220000-0x000000013F31A000-memory.dmp autoit_exe -
Drops file in Program Files directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\Tencent\QDesk attrib.exe File opened for modification C:\Program Files\QDesk attrib.exe -
Drops file in Windows directory 4 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File created C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File created C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 972 sc.exe 1484 sc.exe 1104 sc.exe 1956 sc.exe 1200 sc.exe 1212 sc.exe 764 sc.exe 1536 sc.exe 1972 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies File Icons 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" regedit.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" regedit.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" regedit.exe -
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" regedit.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.php?wd={searchTerms}&ie=utf-8" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\NoUpdateCheck = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\ShowTabsBelowAddressBar = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\RunOnceHasShown = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "yes" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "yes" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" regedit.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.cbala.com" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Suggested Sites\Enabled = "0" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\QuickComplete\QuickComplete = "http://www.%s.com" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" regedit.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = da4b9550aecdcb01 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" regedit.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} regedit.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\CommandBarEnabled = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\DEPOff = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" regedit.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\Empty.ico,0" regedit.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer regedit.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Link = 00000000 regedit.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "500" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout = "1000" regedit.exe -
Modifies registry class 64 IoCs
Processes:
regedit.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\WantsParseDisplayName regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new\ = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideOnDesktopPerUser regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new reg.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command\ = "notepad %1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\Gadgets reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\ = "ÓüÇʱ¾´ò¿ª¸ÃÎļþ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\Attributes = "48" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\XXX Groove GFS Context Menu Handler XXX reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideFolderVerbs regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,-32528" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe about:NoAdd-ons" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\ = "ÊôÐÔ(&R)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\ = "C:\\Windows\\system32\\ieframe.dll,-190" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ = "Internet Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\ = "ÔÚûÓмÓÔØÏîµÄÇé¿öÏÂÆô¶¯(&N)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideAsDeletePerUser regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe -
Runs .reg file with regedit 3 IoCs
Processes:
regedit.exeregedit.exeregedit.exepid process 2016 regedit.exe 1456 regedit.exe 1460 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
regsvr32.exepid process 1132 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
takeown.exepowercfg.exeAUDIODG.EXEdescription pid process Token: SeTakeOwnershipPrivilege 1732 takeown.exe Token: SeShutdownPrivilege 1976 powercfg.exe Token: SeShutdownPrivilege 1976 powercfg.exe Token: SeShutdownPrivilege 1976 powercfg.exe Token: SeShutdownPrivilege 1976 powercfg.exe Token: SeShutdownPrivilege 1976 powercfg.exe Token: SeCreatePagefilePrivilege 1976 powercfg.exe Token: 33 908 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 908 AUDIODG.EXE Token: 33 908 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 908 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.execmd.execmd.execmd.exenet.exenet.exenet.exedescription pid process target process PID 1660 wrote to memory of 864 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1660 wrote to memory of 864 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1660 wrote to memory of 864 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 864 wrote to memory of 1880 864 cmd.exe takeown.exe PID 864 wrote to memory of 1880 864 cmd.exe takeown.exe PID 864 wrote to memory of 1880 864 cmd.exe takeown.exe PID 864 wrote to memory of 1400 864 cmd.exe icacls.exe PID 864 wrote to memory of 1400 864 cmd.exe icacls.exe PID 864 wrote to memory of 1400 864 cmd.exe icacls.exe PID 1660 wrote to memory of 1600 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1660 wrote to memory of 1600 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1660 wrote to memory of 1600 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1600 wrote to memory of 1732 1600 cmd.exe takeown.exe PID 1600 wrote to memory of 1732 1600 cmd.exe takeown.exe PID 1600 wrote to memory of 1732 1600 cmd.exe takeown.exe PID 1660 wrote to memory of 2024 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1660 wrote to memory of 2024 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1660 wrote to memory of 2024 1660 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 2024 wrote to memory of 2028 2024 cmd.exe chkntfs.exe PID 2024 wrote to memory of 2028 2024 cmd.exe chkntfs.exe PID 2024 wrote to memory of 2028 2024 cmd.exe chkntfs.exe PID 2024 wrote to memory of 1988 2024 cmd.exe bcdedit.exe PID 2024 wrote to memory of 1988 2024 cmd.exe bcdedit.exe PID 2024 wrote to memory of 1988 2024 cmd.exe bcdedit.exe PID 2024 wrote to memory of 1976 2024 cmd.exe powercfg.exe PID 2024 wrote to memory of 1976 2024 cmd.exe powercfg.exe PID 2024 wrote to memory of 1976 2024 cmd.exe powercfg.exe PID 2024 wrote to memory of 1868 2024 cmd.exe netsh.exe PID 2024 wrote to memory of 1868 2024 cmd.exe netsh.exe PID 2024 wrote to memory of 1868 2024 cmd.exe netsh.exe PID 2024 wrote to memory of 1444 2024 cmd.exe bcdedit.exe PID 2024 wrote to memory of 1444 2024 cmd.exe bcdedit.exe PID 2024 wrote to memory of 1444 2024 cmd.exe bcdedit.exe PID 2024 wrote to memory of 1956 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1956 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1956 2024 cmd.exe sc.exe PID 2024 wrote to memory of 972 2024 cmd.exe sc.exe PID 2024 wrote to memory of 972 2024 cmd.exe sc.exe PID 2024 wrote to memory of 972 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1200 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1200 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1200 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1524 2024 cmd.exe net.exe PID 2024 wrote to memory of 1524 2024 cmd.exe net.exe PID 2024 wrote to memory of 1524 2024 cmd.exe net.exe PID 1524 wrote to memory of 1460 1524 net.exe net1.exe PID 1524 wrote to memory of 1460 1524 net.exe net1.exe PID 1524 wrote to memory of 1460 1524 net.exe net1.exe PID 2024 wrote to memory of 1340 2024 cmd.exe net.exe PID 2024 wrote to memory of 1340 2024 cmd.exe net.exe PID 2024 wrote to memory of 1340 2024 cmd.exe net.exe PID 1340 wrote to memory of 1096 1340 net.exe net1.exe PID 1340 wrote to memory of 1096 1340 net.exe net1.exe PID 1340 wrote to memory of 1096 1340 net.exe net1.exe PID 2024 wrote to memory of 572 2024 cmd.exe net.exe PID 2024 wrote to memory of 572 2024 cmd.exe net.exe PID 2024 wrote to memory of 572 2024 cmd.exe net.exe PID 572 wrote to memory of 1552 572 net.exe net1.exe PID 572 wrote to memory of 1552 572 net.exe net1.exe PID 572 wrote to memory of 1552 572 net.exe net1.exe PID 2024 wrote to memory of 1212 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1212 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1212 2024 cmd.exe sc.exe PID 2024 wrote to memory of 764 2024 cmd.exe sc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 572 attrib.exe 1608 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"1⤵
- Adds policy Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows"\web\yh_8.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chkntfs.exeC:\Windows\system32\chkntfs /t:23⤵
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 63⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\powercfg.exepowercfg -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy legacy3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WerSvc start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config W32Time start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet stop RemoteRegistry3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RemoteRegistry4⤵
-
C:\Windows\system32\net.exenet stop WerSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WerSvc4⤵
-
C:\Windows\system32\net.exenet stop W32Time3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W32Time4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WdiServiceHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop DPS3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config DPS start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\regedit.exeREGEDIT /S c:\setup\yh_8.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /d 1 /t REG_DWORD /f3⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\yh_8.REG"2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Registers COM server for autorun
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies File Icons
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies Shortcut Icons
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\zjzl.reg"2⤵
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\Tencent\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /u /s igfxpph.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.execmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"2⤵
- Deletes itself
-
C:\Windows\system32\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Hidden Files and Directories
4Registry Run Keys / Startup Folder
3Modify Existing Service
2Defense Evasion
Modify Registry
11Hidden Files and Directories
4Bypass User Account Control
1Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD506697bf2f4f5395a9af659f50df00e3b
SHA101925ffbeed3e54e134e1fafaef8ff640dda9107
SHA2568868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1
SHA5129c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD5b141c6974c48fadca812a060e03f8200
SHA1bfc010eeda61bd2bd6d3b7963570cbc7d7539037
SHA25668a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e
SHA512353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
79B
MD52c545704057f619fa7fb3f994862f181
SHA1b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd
SHA2560a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0
SHA5125875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84
-
C:\Windows\Web\yh_8.REGFilesize
50KB
MD503adc949c5bc4ac78de28ce1a5d5ada3
SHA1371c497dc8b78fe472d1de552e2962ab112abea8
SHA2569cdff068d11e463a5ce25d761a2c6459b231109ae99c94e6ad8707c065d953ae
SHA512698ca9319b006228235dd7179d258ebdfcce2aaffeb2c07fa83308138570df0e948a97c98e663ea84dc542a21f7faf24b1a692dbce36e65fae8814e876108a89
-
C:\Windows\web\yh_8.cmdFilesize
1KB
MD52cc1b20685beaa8050e9e2bc4ef5b1e6
SHA1e225da2c7e04480d991a6d9eaf0179bc22700a97
SHA256d61ae817aa4dd829984bbbbef9031ff08c9a726dc8038857a3ea2524b5b30d51
SHA512138b12358226d61d3736bd49ff80723ec86eeac386383b9cf0b68545072db7516309a2c7df5a0e966028cb25a701d66ccd068cfabb815e1dbe8d73ccc5c0259c
-
memory/284-92-0x0000000000000000-mapping.dmp
-
memory/332-123-0x0000000000000000-mapping.dmp
-
memory/364-99-0x0000000000000000-mapping.dmp
-
memory/432-87-0x0000000000000000-mapping.dmp
-
memory/572-75-0x0000000000000000-mapping.dmp
-
memory/572-100-0x0000000000000000-mapping.dmp
-
memory/668-108-0x0000000000000000-mapping.dmp
-
memory/668-88-0x0000000000000000-mapping.dmp
-
memory/684-101-0x0000000000000000-mapping.dmp
-
memory/748-104-0x0000000000000000-mapping.dmp
-
memory/764-78-0x0000000000000000-mapping.dmp
-
memory/832-103-0x0000000000000000-mapping.dmp
-
memory/864-55-0x0000000000000000-mapping.dmp
-
memory/944-112-0x0000000000000000-mapping.dmp
-
memory/972-69-0x0000000000000000-mapping.dmp
-
memory/1096-74-0x0000000000000000-mapping.dmp
-
memory/1104-83-0x0000000000000000-mapping.dmp
-
memory/1132-110-0x0000000000000000-mapping.dmp
-
memory/1140-86-0x0000000000000000-mapping.dmp
-
memory/1200-70-0x0000000000000000-mapping.dmp
-
memory/1208-115-0x0000000000000000-mapping.dmp
-
memory/1212-77-0x0000000000000000-mapping.dmp
-
memory/1252-128-0x0000000000000000-mapping.dmp
-
memory/1340-122-0x0000000000000000-mapping.dmp
-
memory/1340-73-0x0000000000000000-mapping.dmp
-
memory/1400-57-0x0000000000000000-mapping.dmp
-
memory/1408-90-0x0000000000000000-mapping.dmp
-
memory/1444-67-0x0000000000000000-mapping.dmp
-
memory/1456-94-0x0000000000000000-mapping.dmp
-
memory/1460-121-0x0000000000000000-mapping.dmp
-
memory/1460-72-0x0000000000000000-mapping.dmp
-
memory/1460-97-0x0000000000000000-mapping.dmp
-
memory/1464-89-0x0000000000000000-mapping.dmp
-
memory/1484-82-0x0000000000000000-mapping.dmp
-
memory/1500-109-0x0000000000000000-mapping.dmp
-
memory/1524-71-0x0000000000000000-mapping.dmp
-
memory/1536-79-0x0000000000000000-mapping.dmp
-
memory/1552-76-0x0000000000000000-mapping.dmp
-
memory/1600-117-0x0000000000000000-mapping.dmp
-
memory/1600-58-0x0000000000000000-mapping.dmp
-
memory/1608-105-0x0000000000000000-mapping.dmp
-
memory/1612-127-0x0000000000000000-mapping.dmp
-
memory/1632-91-0x0000000000000000-mapping.dmp
-
memory/1660-131-0x000000013F220000-0x000000013F31A000-memory.dmpFilesize
1000KB
-
memory/1660-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmpFilesize
8KB
-
memory/1660-81-0x000000013F220000-0x000000013F31A000-memory.dmpFilesize
1000KB
-
memory/1664-113-0x0000000000000000-mapping.dmp
-
memory/1700-106-0x0000000000000000-mapping.dmp
-
memory/1732-59-0x0000000000000000-mapping.dmp
-
memory/1812-102-0x0000000000000000-mapping.dmp
-
memory/1868-65-0x0000000000000000-mapping.dmp
-
memory/1880-56-0x0000000000000000-mapping.dmp
-
memory/1904-124-0x0000000000000000-mapping.dmp
-
memory/1920-126-0x0000000000000000-mapping.dmp
-
memory/1940-107-0x0000000000000000-mapping.dmp
-
memory/1956-116-0x0000000000000000-mapping.dmp
-
memory/1956-68-0x0000000000000000-mapping.dmp
-
memory/1972-80-0x0000000000000000-mapping.dmp
-
memory/1976-64-0x0000000000000000-mapping.dmp
-
memory/1988-63-0x0000000000000000-mapping.dmp
-
memory/1992-118-0x0000000000000000-mapping.dmp
-
memory/2016-84-0x0000000000000000-mapping.dmp
-
memory/2024-60-0x0000000000000000-mapping.dmp
-
memory/2028-62-0x0000000000000000-mapping.dmp
-
memory/2032-119-0x0000000000000000-mapping.dmp
-
memory/2036-120-0x0000000000000000-mapping.dmp
-
memory/2040-114-0x0000000000000000-mapping.dmp