Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2022 09:01
Behavioral task
behavioral1
Sample
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
Resource
win7-20220812-en
General
-
Target
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
-
Size
411KB
-
MD5
31b407850c3c20bed39117100dbcc552
-
SHA1
735a4acaf958402497b9e1b14ab3cb539e58889b
-
SHA256
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085
-
SHA512
40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f
-
SSDEEP
6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 6 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify = "1" regedit.exe -
Modifies boot configuration data using bcdedit 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4776 bcdedit.exe 4156 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OneDrive = "C:\\Windows\\setup\\State\\OneDrive.exe" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Disables taskbar notifications via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 888 takeown.exe 1264 icacls.exe 3016 takeown.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\system32\\gameux.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" regedit.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2300 attrib.exe 3316 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4988-137-0x00007FF75D060000-0x00007FF75D15A000-memory.dmp upx behavioral2/memory/4988-168-0x00007FF75D060000-0x00007FF75D15A000-memory.dmp upx behavioral2/memory/4988-203-0x00007FF75D060000-0x00007FF75D15A000-memory.dmp upx -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "1" regedit.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 888 takeown.exe 1264 icacls.exe 3016 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File opened (read-only) \??\D: 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4988-137-0x00007FF75D060000-0x00007FF75D15A000-memory.dmp autoit_exe behavioral2/memory/4988-168-0x00007FF75D060000-0x00007FF75D15A000-memory.dmp autoit_exe behavioral2/memory/4988-203-0x00007FF75D060000-0x00007FF75D15A000-memory.dmp autoit_exe -
Drops file in Program Files directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\Tencent\QDesk attrib.exe File opened for modification C:\Program Files\QDesk attrib.exe -
Drops file in Windows directory 4 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File created C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File created C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4664 sc.exe 3364 sc.exe 3820 sc.exe 4324 sc.exe 4064 sc.exe 4284 sc.exe 1336 sc.exe 3980 sc.exe 2840 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies File Icons 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" regedit.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" regedit.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" regedit.exe -
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exeregini.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes regini.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoUpdateCheck = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "1" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\ShowTabsBelowAddressBar = "1" regedit.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff0000000000000000ffff0000ffff0000 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\Enabled = "0" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "2" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RunOnceHasShown = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "2" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "2" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\CommandBarEnabled = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenAllHomePages = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.php?wd={searchTerms}&ie=utf-8" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.php?wd={searchTerms}&ie=utf-8" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Download regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\DEPOff = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\QuickComplete\QuickComplete = "http://www.%s.com" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\UseClearType = "yes" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = " " regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ThumbnailBehavior = "1" regedit.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\Empty.ico,0" regedit.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "500" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout = "1000" regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer regedit.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Link = 00000000 regedit.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" regedit.exe -
Modifies registry class 64 IoCs
Processes:
reg.exeregedit.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\ regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\ = "ÔÚûÓмÓÔØÏîµÄÇé¿öÏÂÆô¶¯(&N)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideFolderVerbs regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon\ = "C:\\Windows\\system32\\imageres.dll,-14" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ = "Internet Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\ = "ÊôÐÔ(&R)" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder\Attributes = "537919792" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ = "Games Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideOnDesktopPerUser regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\ = "ÓüÇʱ¾´ò¿ª¸ÃÎļþ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\ = "C:\\Windows\\system32\\ieframe.dll,-190" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InfoTip = "Play and Manage Games." regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\Sharing reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command\ = "notepad %1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4035969101" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\syswow64\\gameux.dll" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe about:NoAdd-ons" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\Attributes = "48" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ = "Games Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-30579" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon\ = "C:\\Windows\\syswow64\\imageres.dll,-14" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,-32528" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns regedit.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2568 notepad.exe -
Runs .reg file with regedit 3 IoCs
Processes:
regedit.exeregedit.exeregedit.exepid process 1928 regedit.exe 5032 regedit.exe 5084 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exepowercfg.exedescription pid process Token: SeTakeOwnershipPrivilege 3016 takeown.exe Token: SeShutdownPrivilege 1664 powercfg.exe Token: SeCreatePagefilePrivilege 1664 powercfg.exe Token: SeShutdownPrivilege 1664 powercfg.exe Token: SeCreatePagefilePrivilege 1664 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.execmd.execmd.execmd.exenet.exenet.exenet.exedescription pid process target process PID 4988 wrote to memory of 4708 4988 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 4988 wrote to memory of 4708 4988 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 4708 wrote to memory of 888 4708 cmd.exe takeown.exe PID 4708 wrote to memory of 888 4708 cmd.exe takeown.exe PID 4708 wrote to memory of 1264 4708 cmd.exe icacls.exe PID 4708 wrote to memory of 1264 4708 cmd.exe icacls.exe PID 4988 wrote to memory of 1388 4988 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 4988 wrote to memory of 1388 4988 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1388 wrote to memory of 3016 1388 cmd.exe takeown.exe PID 1388 wrote to memory of 3016 1388 cmd.exe takeown.exe PID 4988 wrote to memory of 3880 4988 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 4988 wrote to memory of 3880 4988 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 3880 wrote to memory of 4360 3880 cmd.exe chkntfs.exe PID 3880 wrote to memory of 4360 3880 cmd.exe chkntfs.exe PID 3880 wrote to memory of 4776 3880 cmd.exe bcdedit.exe PID 3880 wrote to memory of 4776 3880 cmd.exe bcdedit.exe PID 3880 wrote to memory of 1664 3880 cmd.exe powercfg.exe PID 3880 wrote to memory of 1664 3880 cmd.exe powercfg.exe PID 3880 wrote to memory of 4728 3880 cmd.exe netsh.exe PID 3880 wrote to memory of 4728 3880 cmd.exe netsh.exe PID 3880 wrote to memory of 4156 3880 cmd.exe bcdedit.exe PID 3880 wrote to memory of 4156 3880 cmd.exe bcdedit.exe PID 3880 wrote to memory of 3820 3880 cmd.exe sc.exe PID 3880 wrote to memory of 3820 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4324 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4324 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4064 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4064 3880 cmd.exe sc.exe PID 3880 wrote to memory of 3188 3880 cmd.exe net.exe PID 3880 wrote to memory of 3188 3880 cmd.exe net.exe PID 3188 wrote to memory of 4384 3188 net.exe net1.exe PID 3188 wrote to memory of 4384 3188 net.exe net1.exe PID 3880 wrote to memory of 1644 3880 cmd.exe net.exe PID 3880 wrote to memory of 1644 3880 cmd.exe net.exe PID 1644 wrote to memory of 4512 1644 net.exe net1.exe PID 1644 wrote to memory of 4512 1644 net.exe net1.exe PID 3880 wrote to memory of 4836 3880 cmd.exe net.exe PID 3880 wrote to memory of 4836 3880 cmd.exe net.exe PID 4836 wrote to memory of 4556 4836 net.exe net1.exe PID 4836 wrote to memory of 4556 4836 net.exe net1.exe PID 3880 wrote to memory of 4284 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4284 3880 cmd.exe sc.exe PID 3880 wrote to memory of 1336 3880 cmd.exe sc.exe PID 3880 wrote to memory of 1336 3880 cmd.exe sc.exe PID 3880 wrote to memory of 3980 3880 cmd.exe sc.exe PID 3880 wrote to memory of 3980 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4664 3880 cmd.exe sc.exe PID 3880 wrote to memory of 4664 3880 cmd.exe sc.exe PID 3880 wrote to memory of 2840 3880 cmd.exe sc.exe PID 3880 wrote to memory of 2840 3880 cmd.exe sc.exe PID 3880 wrote to memory of 3364 3880 cmd.exe sc.exe PID 3880 wrote to memory of 3364 3880 cmd.exe sc.exe PID 3880 wrote to memory of 5032 3880 cmd.exe regedit.exe PID 3880 wrote to memory of 5032 3880 cmd.exe regedit.exe PID 3880 wrote to memory of 2420 3880 cmd.exe reg.exe PID 3880 wrote to memory of 2420 3880 cmd.exe reg.exe PID 3880 wrote to memory of 316 3880 cmd.exe reg.exe PID 3880 wrote to memory of 316 3880 cmd.exe reg.exe PID 3880 wrote to memory of 1300 3880 cmd.exe schtasks.exe PID 3880 wrote to memory of 1300 3880 cmd.exe schtasks.exe PID 3880 wrote to memory of 1748 3880 cmd.exe reg.exe PID 3880 wrote to memory of 1748 3880 cmd.exe reg.exe PID 3880 wrote to memory of 608 3880 cmd.exe reg.exe PID 3880 wrote to memory of 608 3880 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2300 attrib.exe 3316 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"1⤵
- Adds policy Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows"\web\yh_8.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chkntfs.exeC:\Windows\system32\chkntfs /t:23⤵
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 63⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\powercfg.exepowercfg -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy legacy3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WerSvc start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config W32Time start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet stop RemoteRegistry3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RemoteRegistry4⤵
-
C:\Windows\system32\net.exenet stop WerSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WerSvc4⤵
-
C:\Windows\system32\net.exenet stop W32Time3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W32Time4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WdiServiceHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop DPS3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config DPS start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\regedit.exeREGEDIT /S c:\setup\yh_8.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /d 1 /t REG_DWORD /f3⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\yh_8.REG"2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Registers COM server for autorun
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies File Icons
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies Shortcut Icons
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\zjzl.reg"2⤵
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\Tencent\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /u /s igfxpph.dll3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"2⤵
-
C:\Windows\system32\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\notepad.exe"notepad.exe" C:\Users\Admin\Desktop\UnprotectBlock.php1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Hidden Files and Directories
4Registry Run Keys / Startup Folder
3Modify Existing Service
2Defense Evasion
Modify Registry
11Hidden Files and Directories
4Bypass User Account Control
1Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD506697bf2f4f5395a9af659f50df00e3b
SHA101925ffbeed3e54e134e1fafaef8ff640dda9107
SHA2568868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1
SHA5129c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD5b141c6974c48fadca812a060e03f8200
SHA1bfc010eeda61bd2bd6d3b7963570cbc7d7539037
SHA25668a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e
SHA512353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
79B
MD52c545704057f619fa7fb3f994862f181
SHA1b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd
SHA2560a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0
SHA5125875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84
-
C:\Windows\Web\yh_8.REGFilesize
50KB
MD503adc949c5bc4ac78de28ce1a5d5ada3
SHA1371c497dc8b78fe472d1de552e2962ab112abea8
SHA2569cdff068d11e463a5ce25d761a2c6459b231109ae99c94e6ad8707c065d953ae
SHA512698ca9319b006228235dd7179d258ebdfcce2aaffeb2c07fa83308138570df0e948a97c98e663ea84dc542a21f7faf24b1a692dbce36e65fae8814e876108a89
-
C:\Windows\web\yh_8.cmdFilesize
1KB
MD52cc1b20685beaa8050e9e2bc4ef5b1e6
SHA1e225da2c7e04480d991a6d9eaf0179bc22700a97
SHA256d61ae817aa4dd829984bbbbef9031ff08c9a726dc8038857a3ea2524b5b30d51
SHA512138b12358226d61d3736bd49ff80723ec86eeac386383b9cf0b68545072db7516309a2c7df5a0e966028cb25a701d66ccd068cfabb815e1dbe8d73ccc5c0259c
-
memory/316-199-0x0000000000000000-mapping.dmp
-
memory/316-162-0x0000000000000000-mapping.dmp
-
memory/504-179-0x0000000000000000-mapping.dmp
-
memory/608-165-0x0000000000000000-mapping.dmp
-
memory/720-194-0x0000000000000000-mapping.dmp
-
memory/888-133-0x0000000000000000-mapping.dmp
-
memory/1160-196-0x0000000000000000-mapping.dmp
-
memory/1264-134-0x0000000000000000-mapping.dmp
-
memory/1300-163-0x0000000000000000-mapping.dmp
-
memory/1336-155-0x0000000000000000-mapping.dmp
-
memory/1388-135-0x0000000000000000-mapping.dmp
-
memory/1412-195-0x0000000000000000-mapping.dmp
-
memory/1480-191-0x0000000000000000-mapping.dmp
-
memory/1512-193-0x0000000000000000-mapping.dmp
-
memory/1568-175-0x0000000000000000-mapping.dmp
-
memory/1644-150-0x0000000000000000-mapping.dmp
-
memory/1664-142-0x0000000000000000-mapping.dmp
-
memory/1748-164-0x0000000000000000-mapping.dmp
-
memory/1928-171-0x0000000000000000-mapping.dmp
-
memory/2172-176-0x0000000000000000-mapping.dmp
-
memory/2300-173-0x0000000000000000-mapping.dmp
-
memory/2308-180-0x0000000000000000-mapping.dmp
-
memory/2396-200-0x0000000000000000-mapping.dmp
-
memory/2420-161-0x0000000000000000-mapping.dmp
-
memory/2496-185-0x0000000000000000-mapping.dmp
-
memory/2840-158-0x0000000000000000-mapping.dmp
-
memory/3016-136-0x0000000000000000-mapping.dmp
-
memory/3060-181-0x0000000000000000-mapping.dmp
-
memory/3188-148-0x0000000000000000-mapping.dmp
-
memory/3316-178-0x0000000000000000-mapping.dmp
-
memory/3352-174-0x0000000000000000-mapping.dmp
-
memory/3364-159-0x0000000000000000-mapping.dmp
-
memory/3420-189-0x0000000000000000-mapping.dmp
-
memory/3472-198-0x0000000000000000-mapping.dmp
-
memory/3760-166-0x0000000000000000-mapping.dmp
-
memory/3820-145-0x0000000000000000-mapping.dmp
-
memory/3880-138-0x0000000000000000-mapping.dmp
-
memory/3924-182-0x0000000000000000-mapping.dmp
-
memory/3980-156-0x0000000000000000-mapping.dmp
-
memory/4064-147-0x0000000000000000-mapping.dmp
-
memory/4068-177-0x0000000000000000-mapping.dmp
-
memory/4156-144-0x0000000000000000-mapping.dmp
-
memory/4220-183-0x0000000000000000-mapping.dmp
-
memory/4284-154-0x0000000000000000-mapping.dmp
-
memory/4324-146-0x0000000000000000-mapping.dmp
-
memory/4356-184-0x0000000000000000-mapping.dmp
-
memory/4360-140-0x0000000000000000-mapping.dmp
-
memory/4384-149-0x0000000000000000-mapping.dmp
-
memory/4512-151-0x0000000000000000-mapping.dmp
-
memory/4556-153-0x0000000000000000-mapping.dmp
-
memory/4664-157-0x0000000000000000-mapping.dmp
-
memory/4708-132-0x0000000000000000-mapping.dmp
-
memory/4712-187-0x0000000000000000-mapping.dmp
-
memory/4728-143-0x0000000000000000-mapping.dmp
-
memory/4776-141-0x0000000000000000-mapping.dmp
-
memory/4788-188-0x0000000000000000-mapping.dmp
-
memory/4792-172-0x0000000000000000-mapping.dmp
-
memory/4836-152-0x0000000000000000-mapping.dmp
-
memory/4876-167-0x0000000000000000-mapping.dmp
-
memory/4988-168-0x00007FF75D060000-0x00007FF75D15A000-memory.dmpFilesize
1000KB
-
memory/4988-137-0x00007FF75D060000-0x00007FF75D15A000-memory.dmpFilesize
1000KB
-
memory/4988-203-0x00007FF75D060000-0x00007FF75D15A000-memory.dmpFilesize
1000KB
-
memory/5032-160-0x0000000000000000-mapping.dmp
-
memory/5048-192-0x0000000000000000-mapping.dmp
-
memory/5068-190-0x0000000000000000-mapping.dmp
-
memory/5084-169-0x0000000000000000-mapping.dmp
-
memory/5096-186-0x0000000000000000-mapping.dmp