f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335

Analysis

max time kernel
187s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe
Size

64KB
MD5

c02858a05aa5df233fa77a31ead0fb36
SHA1

de8dffa685c4a98b8fcf444e07583bb7c5eba468
SHA256

f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335
SHA512

a8f7fe4a86d866b032239c81608e0e4a6be7b5ca857c7160e2bca96550203a060422cc3d5f2a75a15263d9cb77b33081f01f652545ab100853a8cba14ddddb1b
SSDEEP

1536:oioQmpv0wuCOxxHquvrQiLnJ1fF1gXQvv9I4sdziNnNu4F68GsDl0nouy85:oioQcWFfKusiLJ1f8QvTuOnk4Is+out5

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	svchost.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	svchost.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
516	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Netscape.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwenc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservices.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spysweeper.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001232a-57.dat	upx
behavioral1/files/0x000a00000001232a-58.dat	upx
behavioral1/memory/268-61-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x000a00000001232a-60.dat	upx
behavioral1/memory/516-64-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1172-65-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1172-68-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1172-69-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1172-72-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/files/0x000a00000001232a-74.dat	upx
behavioral1/memory/516-75-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1172-76-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe
268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\95E4845544241435 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95E4845544241435 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 516 set thread context of 1172	516	winlogon.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://58m563hp9c5p0k9.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://e45bi5ctj0m3918.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://v68py07nptso1a5.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://t2igw6ysw29al95.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://l509z73569y7798.directorio-w.com"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://2hsw522340qf4sc.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://yq04su8zpd0c8g7.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://svs55t5y2q7lfa7.directorio-w.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://7zdsbk2a8p4zh12.directorio-w.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://55v1lwxx8mic64z.directorio-w.com"	svchost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	1172	svchost.exe
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe
516	winlogon.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 516	268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe	28
PID 268 wrote to memory of 516	268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe	28
PID 268 wrote to memory of 516	268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe	28
PID 268 wrote to memory of 516	268	f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe	28
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29
PID 516 wrote to memory of 1172	516	winlogon.exe	29

C:\Users\Admin\AppData\Local\Temp\f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe
"C:\Users\Admin\AppData\Local\Temp\f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\svchost.exe
    0
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Sets file execution options in registry
    - Drops startup file
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe

Filesize
64KB

MD5
c02858a05aa5df233fa77a31ead0fb36

SHA1
de8dffa685c4a98b8fcf444e07583bb7c5eba468

SHA256
f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335

SHA512
a8f7fe4a86d866b032239c81608e0e4a6be7b5ca857c7160e2bca96550203a060422cc3d5f2a75a15263d9cb77b33081f01f652545ab100853a8cba14ddddb1b

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
64KB

MD5
c02858a05aa5df233fa77a31ead0fb36

SHA1
de8dffa685c4a98b8fcf444e07583bb7c5eba468

SHA256
f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335

SHA512
a8f7fe4a86d866b032239c81608e0e4a6be7b5ca857c7160e2bca96550203a060422cc3d5f2a75a15263d9cb77b33081f01f652545ab100853a8cba14ddddb1b

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
64KB

MD5
c02858a05aa5df233fa77a31ead0fb36

SHA1
de8dffa685c4a98b8fcf444e07583bb7c5eba468

SHA256
f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335

SHA512
a8f7fe4a86d866b032239c81608e0e4a6be7b5ca857c7160e2bca96550203a060422cc3d5f2a75a15263d9cb77b33081f01f652545ab100853a8cba14ddddb1b

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
64KB

MD5
c02858a05aa5df233fa77a31ead0fb36

SHA1
de8dffa685c4a98b8fcf444e07583bb7c5eba468

SHA256
f0b895bf200ca7c224653c044080a86e3bf20f46ee938c28f360de5dce61d335

SHA512
a8f7fe4a86d866b032239c81608e0e4a6be7b5ca857c7160e2bca96550203a060422cc3d5f2a75a15263d9cb77b33081f01f652545ab100853a8cba14ddddb1b

Download Submit
memory/268-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/268-56-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/516-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-59-0x0000000000000000-mapping.dmp

Download
memory/516-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1172-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-66-0x0000000000422F70-mapping.dmp

Download
memory/1172-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-69-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-72-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-77-0x0000000003A80000-0x0000000003E92000-memory.dmp

Filesize
4.1MB

Download