Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2022 10:29
Behavioral task
behavioral1
Sample
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
Resource
win7-20220812-en
General
-
Target
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe
-
Size
411KB
-
MD5
31b407850c3c20bed39117100dbcc552
-
SHA1
735a4acaf958402497b9e1b14ab3cb539e58889b
-
SHA256
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085
-
SHA512
40814a29407c8a1ebfac7774b7c8d3bac20702467b8d7dbab6a788a1eb6547cfcdb23cafe18d7a5c59466124ac6ccaa53283d521fac9982304f816e451f10b4f
-
SSDEEP
6144:KFT2dcBdnKqcGmkKPEoqHsyXdmxl6rOEyli/YVelQF3xIcE4IvFOs8j6EWackv5K:KAEx4EoqHsQdmxl6zbr+F3KUfaMuwc
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 6 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify = "1" regedit.exe -
Modifies boot configuration data using bcdedit 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4840 bcdedit.exe 4184 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OneDrive = "C:\\Windows\\setup\\State\\OneDrive.exe" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Disables taskbar notifications via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exetakeown.exetakeown.exepid process 1960 icacls.exe 2264 takeown.exe 4580 takeown.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\system32\\gameux.dll" regedit.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4092 attrib.exe 4288 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/1444-136-0x00007FF76E660000-0x00007FF76E75A000-memory.dmp upx behavioral2/memory/1444-168-0x00007FF76E660000-0x00007FF76E75A000-memory.dmp upx behavioral2/memory/1444-203-0x00007FF76E660000-0x00007FF76E75A000-memory.dmp upx -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "1" regedit.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 4580 takeown.exe 1960 icacls.exe 2264 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File opened (read-only) \??\D: 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1444-136-0x00007FF76E660000-0x00007FF76E75A000-memory.dmp autoit_exe behavioral2/memory/1444-168-0x00007FF76E660000-0x00007FF76E75A000-memory.dmp autoit_exe behavioral2/memory/1444-203-0x00007FF76E660000-0x00007FF76E75A000-memory.dmp autoit_exe -
Drops file in Program Files directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\Tencent\QDesk attrib.exe File opened for modification C:\Program Files\QDesk attrib.exe -
Drops file in Windows directory 4 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process File created C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.cmd 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File created C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe File opened for modification C:\Windows\web\yh_8.REG 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4088 sc.exe 2172 sc.exe 220 sc.exe 4956 sc.exe 4924 sc.exe 5036 sc.exe 4620 sc.exe 228 sc.exe 1240 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies File Icons 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "%systemroot%\\system32\\imageres.dll,197" regedit.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" regedit.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" regedit.exe -
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exeregini.exeregini.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar\QuickComplete regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Suggested Sites regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION\iexplore.exe = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "yes" regedit.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff0000000000000000ffff0000ffff0000 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\UseClearType = "yes" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RunOnceHasShown = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} regedit.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\CommandBarEnabled = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoUpdateCheck = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes regini.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\QuickComplete\QuickComplete = "http://www.%s.com" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "°Ù¶ÈËÑË÷" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "2" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "0" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} regini.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.php?wd={searchTerms}&ie=utf-8" regedit.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
regedit.exe2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cbala.com/" 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe -
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\Empty.ico,0" regedit.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
regedit.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout = "1000" regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer regedit.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Link = 00000000 regedit.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "500" regedit.exe -
Modifies registry class 64 IoCs
Processes:
regedit.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,-32528" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InfoTip = "Play and Manage Games." regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\Sharing reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe about:NoAdd-ons" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideFolderVerbs regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ = "Games Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-30579" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\Attributes = "48" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideAsDeletePerUser regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4035969101" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder\Attributes = "537919792" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder\Attributes = "537919792" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-30579" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\HideOnDesktopPerUser regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "¹ÜÀíԱȡµÃËùÓÐȨ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\syswow64\\gameux.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\WantsParseDisplayName regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon\ = "C:\\Windows\\system32\\imageres.dll,-14" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\new\ = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ = "Internet Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\ = "ÓüÇʱ¾´ò¿ª¸ÃÎļþ" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ = "Games Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\ regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\ShellFolder\ = "C:\\Windows\\system32\\ieframe.dll,-190" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\NoAddOns\ = "ÔÚûÓмÓÔØÏîµÄÇé¿öÏÂÆô¶¯(&N)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B416D21B-3B22-B6D4-BBD3-BBD452DB3D5B}\Shell\Set\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Notepad\Command\ = "notepad %1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\system32\\gameux.dll" regedit.exe -
Runs .reg file with regedit 3 IoCs
Processes:
regedit.exeregedit.exeregedit.exepid process 1664 regedit.exe 3632 regedit.exe 2732 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exepowercfg.exedescription pid process Token: SeTakeOwnershipPrivilege 2264 takeown.exe Token: SeShutdownPrivilege 4800 powercfg.exe Token: SeCreatePagefilePrivilege 4800 powercfg.exe Token: SeShutdownPrivilege 4800 powercfg.exe Token: SeCreatePagefilePrivilege 4800 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.execmd.execmd.execmd.exenet.exenet.exenet.exedescription pid process target process PID 1444 wrote to memory of 3084 1444 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1444 wrote to memory of 3084 1444 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 3084 wrote to memory of 4580 3084 cmd.exe takeown.exe PID 3084 wrote to memory of 4580 3084 cmd.exe takeown.exe PID 3084 wrote to memory of 1960 3084 cmd.exe icacls.exe PID 3084 wrote to memory of 1960 3084 cmd.exe icacls.exe PID 1444 wrote to memory of 3672 1444 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1444 wrote to memory of 3672 1444 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 3672 wrote to memory of 2264 3672 cmd.exe takeown.exe PID 3672 wrote to memory of 2264 3672 cmd.exe takeown.exe PID 1444 wrote to memory of 2632 1444 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 1444 wrote to memory of 2632 1444 2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe cmd.exe PID 2632 wrote to memory of 4500 2632 cmd.exe chkntfs.exe PID 2632 wrote to memory of 4500 2632 cmd.exe chkntfs.exe PID 2632 wrote to memory of 4840 2632 cmd.exe bcdedit.exe PID 2632 wrote to memory of 4840 2632 cmd.exe bcdedit.exe PID 2632 wrote to memory of 4800 2632 cmd.exe powercfg.exe PID 2632 wrote to memory of 4800 2632 cmd.exe powercfg.exe PID 2632 wrote to memory of 4768 2632 cmd.exe netsh.exe PID 2632 wrote to memory of 4768 2632 cmd.exe netsh.exe PID 2632 wrote to memory of 4184 2632 cmd.exe bcdedit.exe PID 2632 wrote to memory of 4184 2632 cmd.exe bcdedit.exe PID 2632 wrote to memory of 4088 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4088 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4620 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4620 2632 cmd.exe sc.exe PID 2632 wrote to memory of 2172 2632 cmd.exe sc.exe PID 2632 wrote to memory of 2172 2632 cmd.exe sc.exe PID 2632 wrote to memory of 1860 2632 cmd.exe net.exe PID 2632 wrote to memory of 1860 2632 cmd.exe net.exe PID 1860 wrote to memory of 1848 1860 net.exe net1.exe PID 1860 wrote to memory of 1848 1860 net.exe net1.exe PID 2632 wrote to memory of 4388 2632 cmd.exe net.exe PID 2632 wrote to memory of 4388 2632 cmd.exe net.exe PID 4388 wrote to memory of 4212 4388 net.exe net1.exe PID 4388 wrote to memory of 4212 4388 net.exe net1.exe PID 2632 wrote to memory of 2680 2632 cmd.exe net.exe PID 2632 wrote to memory of 2680 2632 cmd.exe net.exe PID 2680 wrote to memory of 1204 2680 net.exe net1.exe PID 2680 wrote to memory of 1204 2680 net.exe net1.exe PID 2632 wrote to memory of 220 2632 cmd.exe sc.exe PID 2632 wrote to memory of 220 2632 cmd.exe sc.exe PID 2632 wrote to memory of 228 2632 cmd.exe sc.exe PID 2632 wrote to memory of 228 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4956 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4956 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4924 2632 cmd.exe sc.exe PID 2632 wrote to memory of 4924 2632 cmd.exe sc.exe PID 2632 wrote to memory of 5036 2632 cmd.exe sc.exe PID 2632 wrote to memory of 5036 2632 cmd.exe sc.exe PID 2632 wrote to memory of 1240 2632 cmd.exe sc.exe PID 2632 wrote to memory of 1240 2632 cmd.exe sc.exe PID 2632 wrote to memory of 2732 2632 cmd.exe regedit.exe PID 2632 wrote to memory of 2732 2632 cmd.exe regedit.exe PID 2632 wrote to memory of 3804 2632 cmd.exe reg.exe PID 2632 wrote to memory of 3804 2632 cmd.exe reg.exe PID 2632 wrote to memory of 3384 2632 cmd.exe reg.exe PID 2632 wrote to memory of 3384 2632 cmd.exe reg.exe PID 2632 wrote to memory of 1440 2632 cmd.exe schtasks.exe PID 2632 wrote to memory of 1440 2632 cmd.exe schtasks.exe PID 2632 wrote to memory of 3532 2632 cmd.exe reg.exe PID 2632 wrote to memory of 3532 2632 cmd.exe reg.exe PID 2632 wrote to memory of 3180 2632 cmd.exe reg.exe PID 2632 wrote to memory of 3180 2632 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4092 attrib.exe 4288 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"1⤵
- Adds policy Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows"\web\yh_8.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chkntfs.exeC:\Windows\system32\chkntfs /t:23⤵
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 63⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\powercfg.exepowercfg -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy legacy3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WerSvc start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config W32Time start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet stop RemoteRegistry3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RemoteRegistry4⤵
-
C:\Windows\system32\net.exenet stop WerSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WerSvc4⤵
-
C:\Windows\system32\net.exenet stop W32Time3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W32Time4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WdiServiceHost3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop DPS3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config DPS start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled3⤵
- Launches sc.exe
-
C:\Windows\regedit.exeREGEDIT /S c:\setup\yh_8.reg3⤵
- Runs .reg file with regedit
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /DISABLE /TN "\Microsoft\Windows\Defrag\ScheduledDefrag"3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /d 1 /t REG_dword /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /d 1 /t REG_DWORD /f3⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force3⤵
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\yh_8.REG"2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Registers COM server for autorun
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies File Icons
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies Shortcut Icons
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
-
C:\Windows\regedit.exeregedit /s "C:\Windows\web\zjzl.reg"2⤵
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\Tencent\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\Tencent\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\Tencent\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Tencent\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +a +s +h +r "%programfiles%\QDesk" >nul 2>nul2⤵
-
C:\Windows\system32\attrib.exeattrib +a +s +h +r "C:\Program Files\QDesk"3⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo y|cacls "%programfiles%\QDesk" /c /p everyone:n >nul 2>nul2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\system32\cacls.execacls "C:\Program Files\QDesk" /c /p everyone:n3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /u /s igfxpph.dll3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c regini regset.ini2⤵
-
C:\Windows\system32\regini.exeregini regset.ini3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @del /q /f regset.ini2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef41f1f4332bf7cc069dab392e4f160b81cd8b7b5b3b4c68dc5a04e4518e085.exe"2⤵
-
C:\Windows\system32\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Hidden Files and Directories
4Registry Run Keys / Startup Folder
3Modify Existing Service
2Defense Evasion
Modify Registry
11Hidden Files and Directories
4Bypass User Account Control
1Disabling Security Tools
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD506697bf2f4f5395a9af659f50df00e3b
SHA101925ffbeed3e54e134e1fafaef8ff640dda9107
SHA2568868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1
SHA5129c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
118B
MD5b141c6974c48fadca812a060e03f8200
SHA1bfc010eeda61bd2bd6d3b7963570cbc7d7539037
SHA25668a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e
SHA512353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138
-
C:\Users\Admin\AppData\Local\Temp\regset.iniFilesize
79B
MD52c545704057f619fa7fb3f994862f181
SHA1b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd
SHA2560a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0
SHA5125875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84
-
C:\Windows\Web\yh_8.REGFilesize
50KB
MD503adc949c5bc4ac78de28ce1a5d5ada3
SHA1371c497dc8b78fe472d1de552e2962ab112abea8
SHA2569cdff068d11e463a5ce25d761a2c6459b231109ae99c94e6ad8707c065d953ae
SHA512698ca9319b006228235dd7179d258ebdfcce2aaffeb2c07fa83308138570df0e948a97c98e663ea84dc542a21f7faf24b1a692dbce36e65fae8814e876108a89
-
C:\Windows\web\yh_8.cmdFilesize
1KB
MD52cc1b20685beaa8050e9e2bc4ef5b1e6
SHA1e225da2c7e04480d991a6d9eaf0179bc22700a97
SHA256d61ae817aa4dd829984bbbbef9031ff08c9a726dc8038857a3ea2524b5b30d51
SHA512138b12358226d61d3736bd49ff80723ec86eeac386383b9cf0b68545072db7516309a2c7df5a0e966028cb25a701d66ccd068cfabb815e1dbe8d73ccc5c0259c
-
memory/220-154-0x0000000000000000-mapping.dmp
-
memory/228-155-0x0000000000000000-mapping.dmp
-
memory/736-193-0x0000000000000000-mapping.dmp
-
memory/1088-177-0x0000000000000000-mapping.dmp
-
memory/1196-199-0x0000000000000000-mapping.dmp
-
memory/1204-153-0x0000000000000000-mapping.dmp
-
memory/1240-159-0x0000000000000000-mapping.dmp
-
memory/1440-163-0x0000000000000000-mapping.dmp
-
memory/1444-168-0x00007FF76E660000-0x00007FF76E75A000-memory.dmpFilesize
1000KB
-
memory/1444-203-0x00007FF76E660000-0x00007FF76E75A000-memory.dmpFilesize
1000KB
-
memory/1444-136-0x00007FF76E660000-0x00007FF76E75A000-memory.dmpFilesize
1000KB
-
memory/1528-172-0x0000000000000000-mapping.dmp
-
memory/1664-169-0x0000000000000000-mapping.dmp
-
memory/1804-195-0x0000000000000000-mapping.dmp
-
memory/1848-149-0x0000000000000000-mapping.dmp
-
memory/1860-148-0x0000000000000000-mapping.dmp
-
memory/1960-134-0x0000000000000000-mapping.dmp
-
memory/1964-175-0x0000000000000000-mapping.dmp
-
memory/1996-200-0x0000000000000000-mapping.dmp
-
memory/2008-167-0x0000000000000000-mapping.dmp
-
memory/2084-187-0x0000000000000000-mapping.dmp
-
memory/2172-147-0x0000000000000000-mapping.dmp
-
memory/2264-137-0x0000000000000000-mapping.dmp
-
memory/2340-180-0x0000000000000000-mapping.dmp
-
memory/2584-181-0x0000000000000000-mapping.dmp
-
memory/2632-138-0x0000000000000000-mapping.dmp
-
memory/2680-152-0x0000000000000000-mapping.dmp
-
memory/2732-160-0x0000000000000000-mapping.dmp
-
memory/3084-132-0x0000000000000000-mapping.dmp
-
memory/3172-166-0x0000000000000000-mapping.dmp
-
memory/3180-165-0x0000000000000000-mapping.dmp
-
memory/3204-194-0x0000000000000000-mapping.dmp
-
memory/3216-182-0x0000000000000000-mapping.dmp
-
memory/3376-179-0x0000000000000000-mapping.dmp
-
memory/3384-162-0x0000000000000000-mapping.dmp
-
memory/3476-185-0x0000000000000000-mapping.dmp
-
memory/3532-164-0x0000000000000000-mapping.dmp
-
memory/3536-189-0x0000000000000000-mapping.dmp
-
memory/3632-171-0x0000000000000000-mapping.dmp
-
memory/3672-190-0x0000000000000000-mapping.dmp
-
memory/3672-135-0x0000000000000000-mapping.dmp
-
memory/3804-161-0x0000000000000000-mapping.dmp
-
memory/3872-174-0x0000000000000000-mapping.dmp
-
memory/3948-186-0x0000000000000000-mapping.dmp
-
memory/4088-145-0x0000000000000000-mapping.dmp
-
memory/4092-173-0x0000000000000000-mapping.dmp
-
memory/4184-144-0x0000000000000000-mapping.dmp
-
memory/4212-151-0x0000000000000000-mapping.dmp
-
memory/4288-178-0x0000000000000000-mapping.dmp
-
memory/4388-150-0x0000000000000000-mapping.dmp
-
memory/4388-196-0x0000000000000000-mapping.dmp
-
memory/4500-140-0x0000000000000000-mapping.dmp
-
memory/4580-133-0x0000000000000000-mapping.dmp
-
memory/4620-146-0x0000000000000000-mapping.dmp
-
memory/4684-183-0x0000000000000000-mapping.dmp
-
memory/4736-176-0x0000000000000000-mapping.dmp
-
memory/4768-143-0x0000000000000000-mapping.dmp
-
memory/4800-142-0x0000000000000000-mapping.dmp
-
memory/4840-141-0x0000000000000000-mapping.dmp
-
memory/4864-192-0x0000000000000000-mapping.dmp
-
memory/4880-191-0x0000000000000000-mapping.dmp
-
memory/4924-157-0x0000000000000000-mapping.dmp
-
memory/4956-156-0x0000000000000000-mapping.dmp
-
memory/5000-198-0x0000000000000000-mapping.dmp
-
memory/5036-158-0x0000000000000000-mapping.dmp
-
memory/5052-184-0x0000000000000000-mapping.dmp
-
memory/5072-188-0x0000000000000000-mapping.dmp