c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
Size

68KB
MD5

f2cf3c7dc180d86be4631f20336c156f
SHA1

41fb4a5b4da1c04a0d3df1aa4fbd58f262e2f6d5
SHA256

c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485
SHA512

97943c17613191be5e3332b613cb2eda7ccc9f0b9d1bf9b27a6c205bc4b4ac32dd52383a189dc9e367e3a6cc2e335f3fdb2db80053e89b1d4ad7ccbdedb02f00
SSDEEP

1536:p1xXPTuoGIBhnKs8aY6y6iuYQSewnnvxiBoKB62vNTVYfZIe:9+aY4ge2xuqkNpA

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 2 IoCs

pid	Process
2320	8N33Z0P4Q.exe
1336	8N33Z0P4Q.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\69SKI4U36H.bat	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\FFH58\2JEVE.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File opened for modification	C:\Program Files\FFH58\2JEVE.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\8N33Z0P4Q.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\12X9UO0J.bat	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Program Files\9KXXZ80F4HV\ZCHG9K0SKDZ.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ZBE9AQ.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Windows\WUJVDP.log	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
File created	C:\Windows\UJW2G27U39MO.exe	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2448	sc.exe
3412	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.2\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\VBSFILE\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1064	reg.exe
5072	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
2320	8N33Z0P4Q.exe
2320	8N33Z0P4Q.exe
2320	8N33Z0P4Q.exe
1336	8N33Z0P4Q.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4800	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	83
PID 884 wrote to memory of 4800	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	83
PID 884 wrote to memory of 4800	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	83
PID 4800 wrote to memory of 2448	4800	cmd.exe	85
PID 4800 wrote to memory of 2448	4800	cmd.exe	85
PID 4800 wrote to memory of 2448	4800	cmd.exe	85
PID 4800 wrote to memory of 3484	4800	cmd.exe	86
PID 4800 wrote to memory of 3484	4800	cmd.exe	86
PID 4800 wrote to memory of 3484	4800	cmd.exe	86
PID 4800 wrote to memory of 3528	4800	cmd.exe	87
PID 4800 wrote to memory of 3528	4800	cmd.exe	87
PID 4800 wrote to memory of 3528	4800	cmd.exe	87
PID 4800 wrote to memory of 608	4800	cmd.exe	88
PID 4800 wrote to memory of 608	4800	cmd.exe	88
PID 4800 wrote to memory of 608	4800	cmd.exe	88
PID 4800 wrote to memory of 612	4800	cmd.exe	89
PID 4800 wrote to memory of 612	4800	cmd.exe	89
PID 4800 wrote to memory of 612	4800	cmd.exe	89
PID 884 wrote to memory of 2320	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	90
PID 884 wrote to memory of 2320	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	90
PID 884 wrote to memory of 2320	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	90
PID 4800 wrote to memory of 1452	4800	cmd.exe	91
PID 4800 wrote to memory of 1452	4800	cmd.exe	91
PID 4800 wrote to memory of 1452	4800	cmd.exe	91
PID 884 wrote to memory of 1336	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	92
PID 884 wrote to memory of 1336	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	92
PID 884 wrote to memory of 1336	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	92
PID 4800 wrote to memory of 5016	4800	cmd.exe	93
PID 4800 wrote to memory of 5016	4800	cmd.exe	93
PID 4800 wrote to memory of 5016	4800	cmd.exe	93
PID 4800 wrote to memory of 676	4800	cmd.exe	94
PID 4800 wrote to memory of 676	4800	cmd.exe	94
PID 4800 wrote to memory of 676	4800	cmd.exe	94
PID 4800 wrote to memory of 2092	4800	cmd.exe	95
PID 4800 wrote to memory of 2092	4800	cmd.exe	95
PID 4800 wrote to memory of 2092	4800	cmd.exe	95
PID 4800 wrote to memory of 4620	4800	cmd.exe	96
PID 4800 wrote to memory of 4620	4800	cmd.exe	96
PID 4800 wrote to memory of 4620	4800	cmd.exe	96
PID 4800 wrote to memory of 1792	4800	cmd.exe	97
PID 4800 wrote to memory of 1792	4800	cmd.exe	97
PID 4800 wrote to memory of 1792	4800	cmd.exe	97
PID 4800 wrote to memory of 4216	4800	cmd.exe	98
PID 4800 wrote to memory of 4216	4800	cmd.exe	98
PID 4800 wrote to memory of 4216	4800	cmd.exe	98
PID 4800 wrote to memory of 1064	4800	cmd.exe	99
PID 4800 wrote to memory of 1064	4800	cmd.exe	99
PID 4800 wrote to memory of 1064	4800	cmd.exe	99
PID 884 wrote to memory of 1584	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	100
PID 884 wrote to memory of 1584	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	100
PID 884 wrote to memory of 1584	884	c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe	100
PID 1584 wrote to memory of 3412	1584	cmd.exe	102
PID 1584 wrote to memory of 3412	1584	cmd.exe	102
PID 1584 wrote to memory of 3412	1584	cmd.exe	102
PID 1584 wrote to memory of 488	1584	cmd.exe	103
PID 1584 wrote to memory of 488	1584	cmd.exe	103
PID 1584 wrote to memory of 488	1584	cmd.exe	103
PID 1584 wrote to memory of 2736	1584	cmd.exe	104
PID 1584 wrote to memory of 2736	1584	cmd.exe	104
PID 1584 wrote to memory of 2736	1584	cmd.exe	104
PID 1584 wrote to memory of 2540	1584	cmd.exe	105
PID 1584 wrote to memory of 2540	1584	cmd.exe	105
PID 1584 wrote to memory of 2540	1584	cmd.exe	105
PID 1584 wrote to memory of 2288	1584	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
"C:\Users\Admin\AppData\Local\Temp\c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\69SKI4U36H.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create A2TLSXPQDWBinPath= "C:\Program Files\FFH58\2JEVE.exe -start" type= own type= interact start= auto DisplayName= I9R4FLII5ZF
    3⤵
    - Launches sc.exe
    PID:2448
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:608
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:612
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:676
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1064
- C:\Program Files\8N33Z0P4Q.exe
  "C:\Program Files\8N33Z0P4Q.exe" C:\Users\Admin\AppData\Local\Temp\c4a82c03574924a566036306258c1e16da7cc53417b86297925aecd115a15485.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2320
- C:\Program Files\8N33Z0P4Q.exe
  "C:\Program Files\8N33Z0P4Q.exe" WYOCV3
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\12X9UO0J.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create VZADNINFBinPath= "C:\Program Files\9KXXZ80F4HV\ZCHG9K0SKDZ.exe -start" type= own type= interact start= auto DisplayName= 76OYBSIJOB
    3⤵
    - Launches sc.exe
    PID:3412
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:488
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:692
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:4420
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1060
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:4712
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:5008
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1132
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Modifies registry key
    PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\12X9UO0J.bat

Filesize
1KB

MD5
a7f480ec3a33820aba1ca005686a9aa1

SHA1
33458bfe01daeeeea1e174f1dac59180053eef93

SHA256
e1305452d7a7b14e3ad4bbcaec605e3a4219885be6c7a7bfef4a21e573eb5353

SHA512
813e6080c239ec8d2215437c392932669fbeaa1efd8ee6c05e21ea8069dabdb391eb0c091b74ffa175d0aebab84d419fa69cd7fdca9c060c7e5cdbb2b75427c9

Download Submit
C:\Program Files\69SKI4U36H.bat

Filesize
1KB

MD5
351ced9309d4b5bfbb3270d8e1ac50c1

SHA1
ca98bc69a222963e352d7dcffed0c6f5cba8323e

SHA256
eb9a4494c32e85c6a4168f322abd9544a91b4db0619d4c0ef8fb51125998f3f8

SHA512
9d67aba96fcc03f36463433552a7a0be12b6f1ceebbfac1ba59dac920b4d3ee4cbdfcc2010e1fc890828dec2947c876f16468f408b6e88e7d3fd87211796fdfc

Download Submit
C:\Program Files\8N33Z0P4Q.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
C:\Program Files\8N33Z0P4Q.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
C:\Program Files\8N33Z0P4Q.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads