7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6

Analysis

max time kernel
169s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe
Size

592KB
MD5

95d09778f050d8bcc5805b4c56200d55
SHA1

8dac4eb7d51df65fd6ac81dd1e906c674b363d95
SHA256

7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6
SHA512

0c41173e611725249f611fb362668d5cc64cc4a24c3ff4d32fde88f9784896c449d1939a46c9b9fcd9365b8942085dc7f807392207c0da5ed45a8f69174a8d54
SSDEEP

12288:zK2mhAMJ/cPl+vnGEhP4ltXEv/lL6TC84wzFYA/dEJf8uYHIA8lsT:22O/Gl+vnbpIElL4NFYJp8uY7oS

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Executes dropped EXE 7 IoCs

pid	Process
780	tashfer.exe
2012	tashferkraw.exe
2692	explorerx.exe
4892	Server.exe
1036	explorer.exe
4012	explorer.exe
3272	Trojan.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2976	netsh.exe
1668	netsh.exe
4948	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tashfer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tashferkraw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	explorerx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	explorer.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94a40d183a1e5b33be1cb7d99b0c9e16.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94a40d183a1e5b33be1cb7d99b0c9e16.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\94a40d183a1e5b33be1cb7d99b0c9e16 = "\"C:\\ProgramData\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\94a40d183a1e5b33be1cb7d99b0c9e16 = "\"C:\\ProgramData\\explorer.exe\" .."	explorer.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\ThreadingModel = "Both"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\ProgId\ = "?112?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\ = "mscoree.dll"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\Class = "?1?.?8?"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\Implemented Categories	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?\ = "?112?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?\CLSID\ = "{2BC307E3-AE2B-3074-862A-9A20FC57029E}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?\CLSID\ = "{6DA50995-EE84-33F6-9976-DDD1B2245EBB}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\Class = "?1?.?8?"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\Class = "?112?"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ProgId\ = "?1?.?1?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?\CLSID	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\ThreadingModel = "Both"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?112?\CLSID	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\ = "mscoree.dll"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\RuntimeVersion = "v2.0.50727"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\ = "mscoree.dll"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\ProgId	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\ProgId\ = "?1?.?8?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\Class = "?112?"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\Implemented Categories	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?\CLSID	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ = "?1?.?1?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/ProgramData/explorer.exe"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?8?\CLSID	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\Implemented Categories	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?\ = "?1?.?1?"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?\CLSID\ = "{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\RuntimeVersion = "v2.0.50727"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32\0.0.0.0\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\ProgId	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32\0.0.0.0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32\0.0.0.0\Assembly = "uxhdlbrdhih, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\InprocServer32	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\?1?.?1?\CLSID	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\Implemented Categories	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\Implemented Categories	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DA50995-EE84-33F6-9976-DDD1B2245EBB}\InprocServer32	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ProgId	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\ProgId	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\ProgId	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF38DC92-8FAF-35BD-809A-0ACCE1D01D73}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BC307E3-AE2B-3074-862A-9A20FC57029E}\InprocServer32	explorer.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe
3272	Trojan.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	780	tashfer.exe
Token: SeRestorePrivilege	780	tashfer.exe
Token: SeDebugPrivilege	2012	tashferkraw.exe
Token: SeDebugPrivilege	3272	Trojan.exe
Token: SeDebugPrivilege	4012	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4012	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 780	2864	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	79
PID 2864 wrote to memory of 780	2864	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	79
PID 2864 wrote to memory of 780	2864	7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe	79
PID 780 wrote to memory of 2012	780	tashfer.exe	80
PID 780 wrote to memory of 2012	780	tashfer.exe	80
PID 780 wrote to memory of 2012	780	tashfer.exe	80
PID 2012 wrote to memory of 2692	2012	tashferkraw.exe	89
PID 2012 wrote to memory of 2692	2012	tashferkraw.exe	89
PID 2012 wrote to memory of 4892	2012	tashferkraw.exe	90
PID 2012 wrote to memory of 4892	2012	tashferkraw.exe	90
PID 2012 wrote to memory of 4892	2012	tashferkraw.exe	90
PID 2692 wrote to memory of 1036	2692	explorerx.exe	91
PID 2692 wrote to memory of 1036	2692	explorerx.exe	91
PID 2692 wrote to memory of 1036	2692	explorerx.exe	91
PID 1036 wrote to memory of 4012	1036	explorer.exe	92
PID 1036 wrote to memory of 4012	1036	explorer.exe	92
PID 1036 wrote to memory of 4012	1036	explorer.exe	92
PID 4892 wrote to memory of 3272	4892	Server.exe	93
PID 4892 wrote to memory of 3272	4892	Server.exe	93
PID 4892 wrote to memory of 3272	4892	Server.exe	93
PID 4012 wrote to memory of 1668	4012	explorer.exe	95
PID 4012 wrote to memory of 1668	4012	explorer.exe	95
PID 4012 wrote to memory of 1668	4012	explorer.exe	95
PID 3272 wrote to memory of 2976	3272	Trojan.exe	94
PID 3272 wrote to memory of 2976	3272	Trojan.exe	94
PID 3272 wrote to memory of 2976	3272	Trojan.exe	94
PID 4012 wrote to memory of 4948	4012	explorer.exe	99
PID 4012 wrote to memory of 4948	4012	explorer.exe	99
PID 4012 wrote to memory of 4948	4012	explorer.exe	99
PID 4012 wrote to memory of 4480	4012	explorer.exe	102
PID 4012 wrote to memory of 4480	4012	explorer.exe	102
PID 4012 wrote to memory of 4480	4012	explorer.exe	102

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe
"C:\Users\Admin\AppData\Local\Temp\7717ea363cdbc6b37caacdd8cdc3811ef1ff6d655d478f35660bb4d4cec630a6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\tashfer.exe
  "C:\Users\Admin\AppData\Local\Temp\tashfer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\explorerx.exe
      "C:\Users\Admin\AppData\Local\Temp\explorerx.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks computer location settings
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1036
      - C:\ProgramData\explorer.exe
        
        "C:\ProgramData\explorer.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks computer location settings
        Drops startup file
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\explorer.exe" "explorer.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:1668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:4948
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\SysWOW64\wscript.exe" "C:\ProgramData\explorer.vbe"
        7⤵
        
        PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
        5⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\ProgramData\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\ProgramData\explorer.vbe

Filesize
54B

MD5
3e2daf38e0ae3e4cb752ba07e317ab8a

SHA1
403119ccb6060f1663057c0ee723d669090f227d

SHA256
368663c0c1ad3ea27349893d950a8f851260fd5cf5b8ad796f801afb513167e1

SHA512
284ba94b51771ffb8e1636e00968f8b5d217b5f6dc66ab2ed7c4394cf920f174a6cc5375da497270b13738f8a4efdc1f75a319dbc7dc7fd7850eb86ef937587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tashferkraw.exe

Filesize
353KB

MD5
c3aa4d3d7ad17e5aa878b2843ba5b678

SHA1
b7dd472080977433b6c19f49ddc169015a9338ba

SHA256
ac46ac55dbff390438d38b766775cc6be7e24787c7a077037ed0e82d68f758bf

SHA512
d4dbc272d26fe07119df7bd3b25057bde1cd66c2208634040ba4ec454cb9a5c565a1006538790cf99f71853f4407b1fd5f395af3086ef2d466b3c64196f1eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
26KB

MD5
e75115f6d21f2e9fb32b99581fa78c72

SHA1
ced1632142bb27e10d711b788a042e4f0e76a0d7

SHA256
968d1be7df46e4859bf69f00d6f6c633cd8b8cd43ec3bdfd60c137868db8d24d

SHA512
4ec9f10bd07a92f261f1533234a7c34082656592bd8c5724faa6380055f67e8992a599fcb155522c8f1515f71e380756ccfc44889f44dcb819f9928d65f89171

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
250KB

MD5
9c52b1d644fbd3d76716c9c3dee3d42c

SHA1
9a7e41669f88d46d2382116698da4faed9a83942

SHA256
dc6013f6a886595a5f3f12f978f968e19be14bac2cca587ad7b6c17aecc98091

SHA512
0c2d285040627284dca6ba45acf70d0a392e428770b2bc9e39ad1df06ba097dd7820626850fe4dcf6fcd8348bb840431716373b70d4221c5d9c0eab701bf6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorerx.exe

Filesize
268KB

MD5
96ceea2acd93638d4cec8c36508f922c

SHA1
451526952b16dc0ff2797b74fa58619b88b1db11

SHA256
08c952c3ba627104a0068d45d2f79cd9a2d91c199038d41080c8028548edb2b5

SHA512
76e124ab3249d49762b0ddc3e5d30aaa921ad76914716b1be9749628d16ef3a823ae305873813e11c6949b8c0ab6de59f9f675c3bcadaed87b559e532bcd18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorerx.exe

Filesize
268KB

MD5
96ceea2acd93638d4cec8c36508f922c

SHA1
451526952b16dc0ff2797b74fa58619b88b1db11

SHA256
08c952c3ba627104a0068d45d2f79cd9a2d91c199038d41080c8028548edb2b5

SHA512
76e124ab3249d49762b0ddc3e5d30aaa921ad76914716b1be9749628d16ef3a823ae305873813e11c6949b8c0ab6de59f9f675c3bcadaed87b559e532bcd18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tashfer.exe

Filesize
573KB

MD5
1fd3abc9e4234338b2a6b1ed301eb7de

SHA1
3057d24befa9d9408226f7ef16aeed3d935e5913

SHA256
87a7fa8dfd05f190e051f62c52005d14c4b4073f5ea7510d250dc8554955c28d

SHA512
d1c93ff0d9b2e5903f0606a276edd2d9d003ffb5771f15fd3953a016a6b8423631e39a1e6a932ac686b0300ace94697c3d2177e6fd57f8fb8f4459fb9dad662e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tashfer.exe

Filesize
573KB

MD5
1fd3abc9e4234338b2a6b1ed301eb7de

SHA1
3057d24befa9d9408226f7ef16aeed3d935e5913

SHA256
87a7fa8dfd05f190e051f62c52005d14c4b4073f5ea7510d250dc8554955c28d

SHA512
d1c93ff0d9b2e5903f0606a276edd2d9d003ffb5771f15fd3953a016a6b8423631e39a1e6a932ac686b0300ace94697c3d2177e6fd57f8fb8f4459fb9dad662e

Download Submit
memory/1036-281-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/1036-271-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/2012-192-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-142-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-168-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-170-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-172-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-174-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-176-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-178-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-180-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-182-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-184-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-186-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-188-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-190-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-194-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-196-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-198-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-201-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/2012-200-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-203-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-164-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-162-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-283-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/2012-160-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-140-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/2012-158-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-156-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-154-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-152-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-141-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-150-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-166-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-148-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-146-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2012-144-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/2864-133-0x00007FF810880000-0x00007FF8112B6000-memory.dmp

Filesize
10.2MB

Download
memory/3272-285-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/3272-289-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/4012-284-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/4012-288-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/4892-280-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download
memory/4892-270-0x0000000073250000-0x0000000073801000-memory.dmp

Filesize
5.7MB

Download