9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf

Analysis

max time kernel
147s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
Size

722KB
MD5

a7653be2c395c8919b16050ca4d2a735
SHA1

9599c03484f016971982ac4366c829a710bd8aa5
SHA256

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf
SHA512

0293a2a1cbf46d6b991da259d7e2cbc130577d0f3a36f1be4389fbbb3c80597f38d713ad285b96a469d9836fb3a1df0b8a2eb7a911be6da767b3fd7fa35ca78a
SSDEEP

6144:Mc5DI5J2b4YX0ayv8a7JRpyG9AN2UeQY0yzcPSHpLUYQdeNgVmn/l4EI8XuGJHmj:x+mxDyv8GAoUegic8pLUYQANZ//eOGr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\vbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\chrome.exe = "C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 3 IoCs

Processes:

mhzi.exechrome.exevbc.exe

pid process

1160 mhzi.exe
1716 chrome.exe
1860 vbc.exe

pid	process
1160	mhzi.exe
1716	chrome.exe
1860	vbc.exe

Loads dropped DLL 4 IoCs

Processes:

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exechrome.exe

pid	process
1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
1716	chrome.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe"	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exechrome.exe

description	pid	process	target process
PID 1600 set thread context of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1716 set thread context of 1860	1716	chrome.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068030082f269d04397d6b851ba7001f700000000020000000000106600000001000020000000c80d058c1421a0abaddde73dec23e01a38c91d4aae0a9f0270c14bffa4d0b4a9000000000e800000000200002000000077b250a6f6c27bd6f4f9fc785cbb1086681e2cdd03d829cfe10bdc0e8fb6c6f92000000069f1b16e0e419b956ac82c7b1449f98e8e77dca773ae88f9073e0bd3ae7b390640000000ea6c5bd9406e4c2c7a0a57ecf0258fb387af2893c431d2600b810cd8b078cf7c443704097fac898dc447034ea6382fdd7eafb49fe22cf3f27f85ccc4327b72b7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8F72DC1-7302-11ED-B63A-76C12A601AFA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603269b30f07d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068030082f269d04397d6b851ba7001f70000000002000000000010660000000100002000000063db0cebc3b220ca2f487798873ccbb252351fc841b6465d5d626c3943a8f556000000000e800000000200002000000093eb386a479153eab3dfdfe35de9cb4ef02886ef57a53ecbb47357bbab6477e790000000e991285d804392110fe2bdf8872d6efc03290e5a0538979b590a31b53780e4f2b15685f1993826fc6cdab7bfa113e0e5f5a3c4f82fe2010aa98f65491e4d83b0660f26cfde5163489eeec4a0a301b29346c67053366390fbc2dc38bc8eec03b7532d687c62aa7d740ae2a9dca72275cdf0f0c73eb962713d7f533772fec2a8a920438a1f0343de5021776a3ee8b03b384000000043c19d458534f945078bbdfdf34be720446b7a3dafa7f752c524d2fe42ab2110e679e5f292f588fbcd6a16b3bcb4e143ed22f7601bc2c2f8a355c7a3ef8beed0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376834134"	iexplore.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1756 reg.exe
1280 reg.exe
280 reg.exe
1324 reg.exe

pid	process
1756	reg.exe
1280	reg.exe
280	reg.exe
1324	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

vbc.exe

description	pid	process
Token: 1	1860	vbc.exe
Token: SeCreateTokenPrivilege	1860	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1860	vbc.exe
Token: SeLockMemoryPrivilege	1860	vbc.exe
Token: SeIncreaseQuotaPrivilege	1860	vbc.exe
Token: SeMachineAccountPrivilege	1860	vbc.exe
Token: SeTcbPrivilege	1860	vbc.exe
Token: SeSecurityPrivilege	1860	vbc.exe
Token: SeTakeOwnershipPrivilege	1860	vbc.exe
Token: SeLoadDriverPrivilege	1860	vbc.exe
Token: SeSystemProfilePrivilege	1860	vbc.exe
Token: SeSystemtimePrivilege	1860	vbc.exe
Token: SeProfSingleProcessPrivilege	1860	vbc.exe
Token: SeIncBasePriorityPrivilege	1860	vbc.exe
Token: SeCreatePagefilePrivilege	1860	vbc.exe
Token: SeCreatePermanentPrivilege	1860	vbc.exe
Token: SeBackupPrivilege	1860	vbc.exe
Token: SeRestorePrivilege	1860	vbc.exe
Token: SeShutdownPrivilege	1860	vbc.exe
Token: SeDebugPrivilege	1860	vbc.exe
Token: SeAuditPrivilege	1860	vbc.exe
Token: SeSystemEnvironmentPrivilege	1860	vbc.exe
Token: SeChangeNotifyPrivilege	1860	vbc.exe
Token: SeRemoteShutdownPrivilege	1860	vbc.exe
Token: SeUndockPrivilege	1860	vbc.exe
Token: SeSyncAgentPrivilege	1860	vbc.exe
Token: SeEnableDelegationPrivilege	1860	vbc.exe
Token: SeManageVolumePrivilege	1860	vbc.exe
Token: SeImpersonatePrivilege	1860	vbc.exe
Token: SeCreateGlobalPrivilege	1860	vbc.exe
Token: 31	1860	vbc.exe
Token: 32	1860	vbc.exe
Token: 33	1860	vbc.exe
Token: 34	1860	vbc.exe
Token: 35	1860	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1596 iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXEvbc.exe

pid	process
1596	iexplore.exe
1596	iexplore.exe
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1860	vbc.exe
1860	vbc.exe
1860	vbc.exe
1860	vbc.exe
1860	vbc.exe
1860	vbc.exe
1860	vbc.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exemhzi.exeiexplore.exechrome.exevbc.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1160	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	mhzi.exe
PID 1600 wrote to memory of 1716	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 1600 wrote to memory of 1716	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 1600 wrote to memory of 1716	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 1600 wrote to memory of 1716	1600	9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe	chrome.exe
PID 1160 wrote to memory of 1596	1160	mhzi.exe	iexplore.exe
PID 1160 wrote to memory of 1596	1160	mhzi.exe	iexplore.exe
PID 1160 wrote to memory of 1596	1160	mhzi.exe	iexplore.exe
PID 1160 wrote to memory of 1596	1160	mhzi.exe	iexplore.exe
PID 1596 wrote to memory of 1684	1596	iexplore.exe	IEXPLORE.EXE
PID 1596 wrote to memory of 1684	1596	iexplore.exe	IEXPLORE.EXE
PID 1596 wrote to memory of 1684	1596	iexplore.exe	IEXPLORE.EXE
PID 1596 wrote to memory of 1684	1596	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1716 wrote to memory of 1860	1716	chrome.exe	vbc.exe
PID 1860 wrote to memory of 1928	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1928	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1928	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1928	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1616	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1616	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1616	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1616	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1420	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1420	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1420	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 1420	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 276	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 276	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 276	1860	vbc.exe	cmd.exe
PID 1860 wrote to memory of 276	1860	vbc.exe	cmd.exe
PID 1616 wrote to memory of 1280	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1280	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1280	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1280	1616	cmd.exe	reg.exe
PID 1420 wrote to memory of 1756	1420	cmd.exe	reg.exe
PID 1420 wrote to memory of 1756	1420	cmd.exe	reg.exe
PID 1420 wrote to memory of 1756	1420	cmd.exe	reg.exe
PID 1420 wrote to memory of 1756	1420	cmd.exe	reg.exe
PID 276 wrote to memory of 1324	276	cmd.exe	reg.exe
PID 276 wrote to memory of 1324	276	cmd.exe	reg.exe
PID 276 wrote to memory of 1324	276	cmd.exe	reg.exe
PID 276 wrote to memory of 1324	276	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe
"C:\Users\Admin\AppData\Local\Temp\9de95b403fb8dc4144f097ff36617164388af2134867a13edf738771436f84bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\mhzi.exe
C:\Users\Admin\AppData\Local\Temp\\mhzi.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mhzi.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\\vbc.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\chrome.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chrome.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\chrome.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chrome.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
245KB

MD5
ac6cd9f9612a853ee5b8bed06976c87f

SHA1
5df9942ab8c5dd06990bf356ed9c16f5d8c92f62

SHA256
fd16e2fe6e9886afa396baf17154cd2e2cc3ea6ac310edb82cd883ac469a8655

SHA512
0729294bfab8ab817363633b910ac39a8d867c9edfdc2da00bc07edd1ad9a74e79c6291fddf96cf437f3611225d20fc111b4b3755df24c2f86a71228374fac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
245KB

MD5
ac6cd9f9612a853ee5b8bed06976c87f

SHA1
5df9942ab8c5dd06990bf356ed9c16f5d8c92f62

SHA256
fd16e2fe6e9886afa396baf17154cd2e2cc3ea6ac310edb82cd883ac469a8655

SHA512
0729294bfab8ab817363633b910ac39a8d867c9edfdc2da00bc07edd1ad9a74e79c6291fddf96cf437f3611225d20fc111b4b3755df24c2f86a71228374fac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhzi.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhzi.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\INV4BB9G.txt

Filesize
539B

MD5
1bddcd57a6cad7e7155bbbf0c31ac346

SHA1
628792a7660866e22ca825e1923deb643acd5b69

SHA256
4351b25dd138dc0dd137796955c43151e8430aa27268e88d8cc4a90b5f7500c6

SHA512
52adbb396ba75c92877daf1dce7dce3ef4c1f0d90efac9f5b2f21f4a6ca7b1282990cbbb88b536e0e97bc1dd8f138a0157e5cb9a17dbd2888f3a5b7beaeecd41

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
245KB

MD5
ac6cd9f9612a853ee5b8bed06976c87f

SHA1
5df9942ab8c5dd06990bf356ed9c16f5d8c92f62

SHA256
fd16e2fe6e9886afa396baf17154cd2e2cc3ea6ac310edb82cd883ac469a8655

SHA512
0729294bfab8ab817363633b910ac39a8d867c9edfdc2da00bc07edd1ad9a74e79c6291fddf96cf437f3611225d20fc111b4b3755df24c2f86a71228374fac46

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
245KB

MD5
ac6cd9f9612a853ee5b8bed06976c87f

SHA1
5df9942ab8c5dd06990bf356ed9c16f5d8c92f62

SHA256
fd16e2fe6e9886afa396baf17154cd2e2cc3ea6ac310edb82cd883ac469a8655

SHA512
0729294bfab8ab817363633b910ac39a8d867c9edfdc2da00bc07edd1ad9a74e79c6291fddf96cf437f3611225d20fc111b4b3755df24c2f86a71228374fac46

Download Submit
\Users\Admin\AppData\Local\Temp\mhzi.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/276-99-0x0000000000000000-mapping.dmp

Download
memory/1160-69-0x0000000000402000-0x000000000040F600-memory.dmp

Filesize
53KB

Download
memory/1160-58-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1160-59-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1160-63-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1160-65-0x000000000040F59E-mapping.dmp

Download
memory/1160-64-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1160-68-0x0000000000402000-0x000000000040F600-memory.dmp

Filesize
53KB

Download
memory/1160-61-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1280-100-0x0000000000000000-mapping.dmp

Download
memory/1324-102-0x0000000000000000-mapping.dmp

Download
memory/1420-98-0x0000000000000000-mapping.dmp

Download
memory/1600-56-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-77-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-97-0x0000000000000000-mapping.dmp

Download
memory/1716-80-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-73-0x0000000000000000-mapping.dmp

Download
memory/1716-90-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-78-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-101-0x0000000000000000-mapping.dmp

Download
memory/1860-85-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1860-82-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1860-83-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1860-87-0x00000000004013D8-mapping.dmp

Download
memory/1860-103-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1860-86-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1928-96-0x0000000000000000-mapping.dmp

Download