Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-11-2022 10:29
Behavioral task
behavioral1
Sample
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
Resource
win7-20220812-en
General
-
Target
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
-
Size
411KB
-
MD5
31b407850c3c20bed39117100dbcc552
-
SHA1
735a4acaf958402497b9e1b14ab3cb539e58889b
-
SHA256
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085
-
SHA512
40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f
-
SSDEEP
6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 6 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify = "1" regedit.exe -
Modifies boot configuration data using bcdedit 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1332 bcdedit.exe 1848 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OneDrive = "C:\\Windows\\setup\\State\\OneDrive.exe" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Disables taskbar notifications via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 1740 takeown.exe 1708 icacls.exe 1748 takeown.exe -
Registers COM server for autorun 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 108 attrib.exe 892 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1336-92-0x000000013F370000-0x000000013F46A000-memory.dmp upx behavioral1/memory/1336-130-0x000000013F370000-0x000000013F46A000-memory.dmp upx -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "1" regedit.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exetakeown.exetakeown.exepid process 1708 icacls.exe 1748 takeown.exe 1740 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File opened (read-only) \??\D: 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1336-92-0x000000013F370000-0x000000013F46A000-memory.dmp autoit_exe behavioral1/memory/1336-130-0x000000013F370000-0x000000013F46A000-memory.dmp autoit_exe -
Drops file in Program Files directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\Tencent\QDesk attrib.exe File opened for modification C:\Program Files\QDesk attrib.exe -
Drops file in Windows directory 4 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File created C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File created C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 576 sc.exe 756 sc.exe 1064 sc.exe 1920 sc.exe 1908 sc.exe 776 sc.exe 1720 sc.exe 1760 sc.exe 1636 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies File Icons 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" regedit.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" regedit.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" regedit.exe -
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exeregini.exeregini.exeregini.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION regedit.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "°Ù¶ÈËÑË÷" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{A481937F-4D99-4B11-86E6-5B0F1007C557}.ico" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "2" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = da4b9550aecdcb01 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ThumbnailBehavior = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\ regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "yes" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{A481937F-4D99-4B11-86E6-5B0F1007C557}.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} regini.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\RunOnceHasShown = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Suggested Sites\Enabled = "0" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main regedit.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "°Ù¶ÈËÑË÷" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.php?wd={searchTerms}&ie=utf-8" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "2" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes regini.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\QuickComplete\QuickComplete = "http://www.%s.com" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "1" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} regini.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.cbala.com" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Suggested Sites regedit.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\Empty.ico,0" regedit.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "500" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout = "1000" regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer regedit.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Link = 00000000 regedit.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop regedit.exe -
Modifies registry class 64 IoCs
Processes:
regedit.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\XXX Groove GFS Context Menu Handler XXX reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\Attributes = "48" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command\ = "notepad %1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideOnDesktopPerUser regedit.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\ = "C:\\Windows\\system32\\ieframe.dll,-190" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideAsDeletePerUser regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,-32528" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ = "Internet Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe about:NoAdd-ons" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\ = "ÊôÐÔ(&R)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\ regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4035969101" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\Gadgets reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\WantsParseDisplayName regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideFolderVerbs regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4035969101" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe -
Runs .reg file with regedit 3 IoCs
Processes:
regedit.exeregedit.exeregedit.exepid process 472 regedit.exe 1380 regedit.exe 1728 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
regsvr32.exepid process 2020 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
takeown.exepowercfg.exedescription pid process Token: SeTakeOwnershipPrivilege 1748 takeown.exe Token: SeShutdownPrivilege 2032 powercfg.exe Token: SeShutdownPrivilege 2032 powercfg.exe Token: SeShutdownPrivilege 2032 powercfg.exe Token: SeShutdownPrivilege 2032 powercfg.exe Token: SeShutdownPrivilege 2032 powercfg.exe Token: SeCreatePagefilePrivilege 2032 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.execmd.execmd.execmd.exenet.exenet.exenet.exedescription pid process target process PID 1336 wrote to memory of 1416 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1336 wrote to memory of 1416 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1336 wrote to memory of 1416 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1416 wrote to memory of 1740 1416 cmd.exe takeown.exe PID 1416 wrote to memory of 1740 1416 cmd.exe takeown.exe PID 1416 wrote to memory of 1740 1416 cmd.exe takeown.exe PID 1416 wrote to memory of 1708 1416 cmd.exe icacls.exe PID 1416 wrote to memory of 1708 1416 cmd.exe icacls.exe PID 1416 wrote to memory of 1708 1416 cmd.exe icacls.exe PID 1336 wrote to memory of 1892 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1336 wrote to memory of 1892 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1336 wrote to memory of 1892 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1892 wrote to memory of 1748 1892 cmd.exe takeown.exe PID 1892 wrote to memory of 1748 1892 cmd.exe takeown.exe PID 1892 wrote to memory of 1748 1892 cmd.exe takeown.exe PID 1336 wrote to memory of 1876 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1336 wrote to memory of 1876 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1336 wrote to memory of 1876 1336 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1876 wrote to memory of 944 1876 cmd.exe chkntfs.exe PID 1876 wrote to memory of 944 1876 cmd.exe chkntfs.exe PID 1876 wrote to memory of 944 1876 cmd.exe chkntfs.exe PID 1876 wrote to memory of 1332 1876 cmd.exe bcdedit.exe PID 1876 wrote to memory of 1332 1876 cmd.exe bcdedit.exe PID 1876 wrote to memory of 1332 1876 cmd.exe bcdedit.exe PID 1876 wrote to memory of 2032 1876 cmd.exe powercfg.exe PID 1876 wrote to memory of 2032 1876 cmd.exe powercfg.exe PID 1876 wrote to memory of 2032 1876 cmd.exe powercfg.exe PID 1876 wrote to memory of 812 1876 cmd.exe netsh.exe PID 1876 wrote to memory of 812 1876 cmd.exe netsh.exe PID 1876 wrote to memory of 812 1876 cmd.exe netsh.exe PID 1876 wrote to memory of 1848 1876 cmd.exe bcdedit.exe PID 1876 wrote to memory of 1848 1876 cmd.exe bcdedit.exe PID 1876 wrote to memory of 1848 1876 cmd.exe bcdedit.exe PID 1876 wrote to memory of 576 1876 cmd.exe sc.exe PID 1876 wrote to memory of 576 1876 cmd.exe sc.exe PID 1876 wrote to memory of 576 1876 cmd.exe sc.exe PID 1876 wrote to memory of 756 1876 cmd.exe sc.exe PID 1876 wrote to memory of 756 1876 cmd.exe sc.exe PID 1876 wrote to memory of 756 1876 cmd.exe sc.exe PID 1876 wrote to memory of 1064 1876 cmd.exe sc.exe PID 1876 wrote to memory of 1064 1876 cmd.exe sc.exe PID 1876 wrote to memory of 1064 1876 cmd.exe sc.exe PID 1876 wrote to memory of 432 1876 cmd.exe net.exe PID 1876 wrote to memory of 432 1876 cmd.exe net.exe PID 1876 wrote to memory of 432 1876 cmd.exe net.exe PID 432 wrote to memory of 1036 432 net.exe net1.exe PID 432 wrote to memory of 1036 432 net.exe net1.exe PID 432 wrote to memory of 1036 432 net.exe net1.exe PID 1876 wrote to memory of 820 1876 cmd.exe net.exe PID 1876 wrote to memory of 820 1876 cmd.exe net.exe PID 1876 wrote to memory of 820 1876 cmd.exe net.exe PID 820 wrote to memory of 788 820 net.exe net1.exe PID 820 wrote to memory of 788 820 net.exe net1.exe PID 820 wrote to memory of 788 820 net.exe net1.exe PID 1876 wrote to memory of 816 1876 cmd.exe net.exe PID 1876 wrote to memory of 816 1876 cmd.exe net.exe PID 1876 wrote to memory of 816 1876 cmd.exe net.exe PID 816 wrote to memory of 2020 816 net.exe net1.exe PID 816 wrote to memory of 2020 816 net.exe net1.exe PID 816 wrote to memory of 2020 816 net.exe net1.exe PID 1876 wrote to memory of 1760 1876 cmd.exe sc.exe PID 1876 wrote to memory of 1760 1876 cmd.exe sc.exe PID 1876 wrote to memory of 1760 1876 cmd.exe sc.exe PID 1876 wrote to memory of 1636 1876 cmd.exe sc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 108 attrib.exe 892 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"1⤵
- Adds policy Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows"\web\yh_8.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chkntfs.exeC:\Windows\system32\chkntfs /t:23⤵
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 63⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\powercfg.exepowercfg -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy legacy3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WerSvc start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config W32Time start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet stop RemoteRegistry3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RemoteRegistry4⤵
-
C:\Windows\system32\net.exenet stop WerSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WerSvc4⤵
-
C:\Windows\system32\net.exenet stop W32Time3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W32Time4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config DPS start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop DPS3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WdiServiceHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\regedit.exeREGEDIT /S c:\setup\yh_8.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /d 1 /t REG_DWORD /f3⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\yh_8.REG"2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Registers COM server for autorun
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies File Icons
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies Shortcut Icons
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\zjzl.reg"2⤵
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\Tencent\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /u /s igfxpph.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.execmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"2⤵
- Deletes itself
-
C:\Windows\system32\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Hidden Files and Directories
4Registry Run Keys / Startup Folder
3Modify Existing Service
2Defense Evasion
Modify Registry
11Hidden Files and Directories
4Bypass User Account Control
1Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD506697bf2f4f5395a9af659f50df00e3b
SHA101925ffbeed3e54e134e1fafaef8ff640dda9107
SHA2568868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1
SHA5129c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD5b141c6974c48fadca812a060e03f8200
SHA1bfc010eeda61bd2bd6d3b7963570cbc7d7539037
SHA25668a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e
SHA512353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
79B
MD52c545704057f619fa7fb3f994862f181
SHA1b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd
SHA2560a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0
SHA5125875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84
-
C:\Windows\Web\yh_8.REGFilesize
50KB
MD503adc949c5bc4ac78de28ce1a5d5ada3
SHA1371c497dc8b78fe472d1de552e2962ab112abea8
SHA2569cdff068d11e463a5ce25d761a2c6459b231109ae99c94e6ad8707c065d953ae
SHA512698ca9319b006228235dd7179d258ebdfcce2aaffeb2c07fa83308138570df0e948a97c98e663ea84dc542a21f7faf24b1a692dbce36e65fae8814e876108a89
-
C:\Windows\web\yh_8.cmdFilesize
1KB
MD52cc1b20685beaa8050e9e2bc4ef5b1e6
SHA1e225da2c7e04480d991a6d9eaf0179bc22700a97
SHA256d61ae817aa4dd829984bbbbef9031ff08c9a726dc8038857a3ea2524b5b30d51
SHA512138b12358226d61d3736bd49ff80723ec86eeac386383b9cf0b68545072db7516309a2c7df5a0e966028cb25a701d66ccd068cfabb815e1dbe8d73ccc5c0259c
-
memory/108-99-0x0000000000000000-mapping.dmp
-
memory/268-123-0x0000000000000000-mapping.dmp
-
memory/432-71-0x0000000000000000-mapping.dmp
-
memory/472-83-0x0000000000000000-mapping.dmp
-
memory/560-91-0x0000000000000000-mapping.dmp
-
memory/564-106-0x0000000000000000-mapping.dmp
-
memory/576-68-0x0000000000000000-mapping.dmp
-
memory/588-120-0x0000000000000000-mapping.dmp
-
memory/684-115-0x0000000000000000-mapping.dmp
-
memory/744-127-0x0000000000000000-mapping.dmp
-
memory/756-69-0x0000000000000000-mapping.dmp
-
memory/776-81-0x0000000000000000-mapping.dmp
-
memory/788-74-0x0000000000000000-mapping.dmp
-
memory/812-65-0x0000000000000000-mapping.dmp
-
memory/816-75-0x0000000000000000-mapping.dmp
-
memory/820-73-0x0000000000000000-mapping.dmp
-
memory/884-98-0x0000000000000000-mapping.dmp
-
memory/892-104-0x0000000000000000-mapping.dmp
-
memory/944-62-0x0000000000000000-mapping.dmp
-
memory/984-103-0x0000000000000000-mapping.dmp
-
memory/1036-107-0x0000000000000000-mapping.dmp
-
memory/1036-72-0x0000000000000000-mapping.dmp
-
memory/1060-112-0x0000000000000000-mapping.dmp
-
memory/1064-70-0x0000000000000000-mapping.dmp
-
memory/1332-63-0x0000000000000000-mapping.dmp
-
memory/1336-92-0x000000013F370000-0x000000013F46A000-memory.dmpFilesize
1000KB
-
memory/1336-54-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1336-130-0x000000013F370000-0x000000013F46A000-memory.dmpFilesize
1000KB
-
memory/1360-125-0x0000000000000000-mapping.dmp
-
memory/1380-93-0x0000000000000000-mapping.dmp
-
memory/1416-55-0x0000000000000000-mapping.dmp
-
memory/1488-90-0x0000000000000000-mapping.dmp
-
memory/1552-117-0x0000000000000000-mapping.dmp
-
memory/1552-85-0x0000000000000000-mapping.dmp
-
memory/1560-122-0x0000000000000000-mapping.dmp
-
memory/1568-105-0x0000000000000000-mapping.dmp
-
memory/1580-87-0x0000000000000000-mapping.dmp
-
memory/1632-86-0x0000000000000000-mapping.dmp
-
memory/1636-78-0x0000000000000000-mapping.dmp
-
memory/1688-108-0x0000000000000000-mapping.dmp
-
memory/1708-57-0x0000000000000000-mapping.dmp
-
memory/1716-121-0x0000000000000000-mapping.dmp
-
memory/1720-82-0x0000000000000000-mapping.dmp
-
memory/1728-96-0x0000000000000000-mapping.dmp
-
memory/1740-56-0x0000000000000000-mapping.dmp
-
memory/1740-126-0x0000000000000000-mapping.dmp
-
memory/1748-59-0x0000000000000000-mapping.dmp
-
memory/1756-114-0x0000000000000000-mapping.dmp
-
memory/1760-77-0x0000000000000000-mapping.dmp
-
memory/1764-102-0x0000000000000000-mapping.dmp
-
memory/1796-101-0x0000000000000000-mapping.dmp
-
memory/1804-100-0x0000000000000000-mapping.dmp
-
memory/1812-119-0x0000000000000000-mapping.dmp
-
memory/1812-88-0x0000000000000000-mapping.dmp
-
memory/1828-116-0x0000000000000000-mapping.dmp
-
memory/1840-118-0x0000000000000000-mapping.dmp
-
memory/1848-67-0x0000000000000000-mapping.dmp
-
memory/1852-111-0x0000000000000000-mapping.dmp
-
memory/1856-89-0x0000000000000000-mapping.dmp
-
memory/1876-60-0x0000000000000000-mapping.dmp
-
memory/1892-58-0x0000000000000000-mapping.dmp
-
memory/1896-113-0x0000000000000000-mapping.dmp
-
memory/1908-79-0x0000000000000000-mapping.dmp
-
memory/1920-80-0x0000000000000000-mapping.dmp
-
memory/2020-109-0x0000000000000000-mapping.dmp
-
memory/2020-76-0x0000000000000000-mapping.dmp
-
memory/2032-64-0x0000000000000000-mapping.dmp