c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
Size

68KB
MD5

f2cf3c7dc180d86be4631f20336c156f
SHA1

41fb4a5b4da1c04a0d3df1aa4fbd58f262e2f6d5
SHA256

c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485
SHA512

97943c17613191be5e3332b613cb2eda7ccc9f0b9d1bf9b27a6c205bc4b4ac32dd52383a189dc9e367e3a6cc2e335f3fdb2db80053e89b1d4ad7ccbdedb02f00
SSDEEP

1536:p1xXPTuoGIBhnKs8aY6y6iuYQSewnnvxiBoKB62vNTVYfZIe:9+aY4ge2xuqkNpA

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 2 IoCs

pid	Process
1752	R4OIF.exe
1852	R4OIF.exe

Loads dropped DLL 3 IoCs

pid	Process
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\EQLB39A99NW.bat	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\MIC95X\CMDNS6.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\Q6VRHPFYA3.bat	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\YEIXH\MIC95X.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File opened for modification	C:\Program Files\YEIXH\MIC95X.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\R4OIF.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IR5PXJERIQ.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Windows\WUJVDP.log	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Windows\V01GGXYAVK.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1436	sc.exe
240	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1944	reg.exe
908	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
1752	R4OIF.exe
1752	R4OIF.exe
1752	R4OIF.exe
1852	R4OIF.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1552	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	27
PID 1388 wrote to memory of 1552	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	27
PID 1388 wrote to memory of 1552	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	27
PID 1388 wrote to memory of 1552	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	27
PID 1552 wrote to memory of 1436	1552	cmd.exe	29
PID 1552 wrote to memory of 1436	1552	cmd.exe	29
PID 1552 wrote to memory of 1436	1552	cmd.exe	29
PID 1552 wrote to memory of 1436	1552	cmd.exe	29
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1344	1552	cmd.exe	30
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1340	1552	cmd.exe	31
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1200	1552	cmd.exe	32
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 1960	1552	cmd.exe	33
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 2044	1552	cmd.exe	34
PID 1552 wrote to memory of 1640	1552	cmd.exe	35
PID 1552 wrote to memory of 1640	1552	cmd.exe	35
PID 1552 wrote to memory of 1640	1552	cmd.exe	35
PID 1552 wrote to memory of 1640	1552	cmd.exe	35
PID 1552 wrote to memory of 636	1552	cmd.exe	36
PID 1552 wrote to memory of 636	1552	cmd.exe	36
PID 1552 wrote to memory of 636	1552	cmd.exe	36
PID 1552 wrote to memory of 636	1552	cmd.exe	36
PID 1388 wrote to memory of 1752	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	37
PID 1388 wrote to memory of 1752	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	37
PID 1388 wrote to memory of 1752	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	37
PID 1388 wrote to memory of 1752	1388	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	37
PID 1552 wrote to memory of 548	1552	cmd.exe	38
PID 1552 wrote to memory of 548	1552	cmd.exe	38
PID 1552 wrote to memory of 548	1552	cmd.exe	38
PID 1552 wrote to memory of 548	1552	cmd.exe	38
PID 1552 wrote to memory of 1384	1552	cmd.exe	39
PID 1552 wrote to memory of 1384	1552	cmd.exe	39
PID 1552 wrote to memory of 1384	1552	cmd.exe	39
PID 1552 wrote to memory of 1384	1552	cmd.exe	39
PID 1552 wrote to memory of 976	1552	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
"C:\Users\Admin\AppData\Local\Temp\c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Q6VRHPFYA3.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create 11W4AJ7580BinPath= "C:\Program Files\YEIXH\MIC95X.exe -start" type= own type= interact start= auto DisplayName= UJW2G27U39MO
    3⤵
    - Launches sc.exe
    PID:1436
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1200
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:548
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1384
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:976
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:908
- C:\Program Files\R4OIF.exe
  "C:\Program Files\R4OIF.exe" C:\Users\Admin\AppData\Local\Temp\c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Program Files\R4OIF.exe
  "C:\Program Files\R4OIF.exe" TM954
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\EQLB39A99NW.bat""
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create R5RKKZ05VUHBinPath= "C:\Program Files\MIC95X\CMDNS6.exe -start" type= own type= interact start= auto DisplayName= KG8IB2WM8I26
    3⤵
    - Launches sc.exe
    PID:240
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:672
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1788
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:344
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:1260
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:364
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1940
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Modifies registry key
    PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EQLB39A99NW.bat

Filesize
1KB

MD5
4e1abe3eb9a6cc76ff03f8db214c63db

SHA1
47603a74f074dab78a820b4a25d001b1c52d2e12

SHA256
a35e609c82f601f50a25e26777df143f5060e6de886c0ebe395b940656deb17d

SHA512
0a8067d97cc94f01e904c7988ff8b456e517c2db535cb835fea76db7090acb1dc0d7bece8ed40950f62c146adc9995ed8ba859815fb3b136e2195dea4d0cf833

Download Submit
C:\Program Files\Q6VRHPFYA3.bat

Filesize
1KB

MD5
c4ec749e442f070900574bf98cab24e6

SHA1
59e40c1caf1cb83a275c653c48cee84fa8ba9927

SHA256
30dbc1b952fe4db901661c030e85d1ee17de8c3bd61fd51546d32bbca44412c5

SHA512
c181d4e9e4c9f648a7316be67fdc93519a9be3269d7ed50c1e2f7202e1f27ced0b7d74119a78cfe6258557e4cb03c74cf2df76af8a957a0baf47be2321f4d3cd

Download Submit
C:\Program Files\R4OIF.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
C:\Program Files\R4OIF.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
\Program Files\R4OIF.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
\Program Files\R4OIF.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
\Program Files\R4OIF.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads