a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

Analysis

max time kernel
39s
max time network
39s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-03-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Size

6.1MB
MD5

00a1a71e26b6b9e3528e6f1d80daff4b
SHA1

111e896d9001fc78774cabde3826d5078ccbd1fd
SHA256

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e
SHA512

1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd
SSDEEP

98304:7a+MxCnvmQN5Q2J80fAO8mDcn2BlJPD8Nzl2QT8ORaw8GFvuztr2cwrihUkTNYyK:/315Q+Rt8Unt8NuTwJ+KfOUkTe

Score

10^/10

adware evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Drops file in Drivers directory 2 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File created	C:\Windows\System32\drivers\etc\hosts	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1096 cmd.exe

pid	process
1096	cmd.exe

Drops startup file 1 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Executes dropped EXE 5 IoCs

Processes:

nbbxugv.exe~bantrnd.exe~bantrnd.exeqdcmsxh.exe~bantrnd.exe

pid process

912 nbbxugv.exe
1340 ~bantrnd.exe
1908 ~bantrnd.exe
1708 qdcmsxh.exe
832 ~bantrnd.exe

pid	process
912	nbbxugv.exe
1340	~bantrnd.exe
1908	~bantrnd.exe
1708	qdcmsxh.exe
832	~bantrnd.exe

Loads dropped DLL 10 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

pid	process
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
1500
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
1480
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
1348

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-60-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
behavioral1/memory/1936-69-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nbbxugv.exe	upx
\Users\Admin\AppData\Local\Temp\nbbxugv.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe	upx
behavioral1/memory/912-89-0x00000000008C0000-0x000000000151C000-memory.dmp	upx
behavioral1/memory/2044-106-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
behavioral1/memory/1936-109-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
behavioral1/memory/912-114-0x00000000008C0000-0x000000000151C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qdcmsxh.exe	upx
\Users\Admin\AppData\Local\Temp\qdcmsxh.exe	upx
\Users\Admin\AppData\Local\Temp\qdcmsxh.exe	upx
C:\Users\Admin\AppData\Local\Temp\qdcmsxh.exe	upx
behavioral1/memory/1708-126-0x00000000003A0000-0x0000000000FFC000-memory.dmp	upx
behavioral1/memory/2044-140-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
behavioral1/memory/2044-141-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
behavioral1/memory/1708-147-0x00000000003A0000-0x0000000000FFC000-memory.dmp	upx
behavioral1/memory/1708-214-0x00000000003A0000-0x0000000000FFC000-memory.dmp	upx
behavioral1/memory/2044-215-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx
behavioral1/memory/2044-233-0x0000000000CB0000-0x000000000190C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exeRundll32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCE	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCEEX	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCEEX	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
File opened (read-only)	\??\u:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\v:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\e:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\q:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\h:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\i:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\p:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\t:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\w:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\x:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\f:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\g:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\z:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\l:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\n:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\o:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\a:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\j:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\m:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\r:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\s:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\y:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\b:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
File opened (read-only)	\??\k:	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2044-60-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/1936-69-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/912-89-0x00000000008C0000-0x000000000151C000-memory.dmp	autoit_exe
behavioral1/memory/2044-106-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/1936-109-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/912-114-0x00000000008C0000-0x000000000151C000-memory.dmp	autoit_exe
behavioral1/memory/1708-126-0x00000000003A0000-0x0000000000FFC000-memory.dmp	autoit_exe
behavioral1/memory/2044-140-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/2044-141-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/1708-147-0x00000000003A0000-0x0000000000FFC000-memory.dmp	autoit_exe
behavioral1/memory/1708-214-0x00000000003A0000-0x0000000000FFC000-memory.dmp	autoit_exe
behavioral1/memory/2044-215-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe
behavioral1/memory/2044-233-0x0000000000CB0000-0x000000000190C000-memory.dmp	autoit_exe

Drops file in Program Files directory 1 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Drops file in Windows directory 1 IoCs

Processes:

Rundll32.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe~bantrnd.exe~bantrnd.exe~bantrnd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~bantrnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~bantrnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~bantrnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.136156.com/?30302"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Modifies registry class 35 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command\ = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,Control_RunDLL C:\\Windows\\SysWOW64\\inetcpl.cpl"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\ = "打开主页(&H)"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\ieframe.dll,-190"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\ = "Internet Explorer"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\ = "在没有加载项的情况下启动"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\ = "属性(&R)"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

268 PING.EXE
848 PING.EXE
336 PING.EXE

pid	process
268	PING.EXE
848	PING.EXE
336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exea07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

pid	process
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
1936	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
1936	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
1936	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

pid process

2044 a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exea07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exenbbxugv.exe~bantrnd.exe~bantrnd.exeqdcmsxh.exe~bantrnd.exeRundll32.exe

description	pid	process
Token: SeDebugPrivilege	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Token: SeDebugPrivilege	1936	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Token: SeDebugPrivilege	912	nbbxugv.exe
Token: SeRestorePrivilege	912	nbbxugv.exe
Token: SeTakeOwnershipPrivilege	912	nbbxugv.exe
Token: SeDebugPrivilege	912	nbbxugv.exe
Token: SeSecurityPrivilege	912	nbbxugv.exe
Token: SeBackupPrivilege	1340	~bantrnd.exe
Token: SeRestorePrivilege	1340	~bantrnd.exe
Token: SeTakeOwnershipPrivilege	1340	~bantrnd.exe
Token: SeBackupPrivilege	1908	~bantrnd.exe
Token: SeRestorePrivilege	1908	~bantrnd.exe
Token: SeTakeOwnershipPrivilege	1908	~bantrnd.exe
Token: SeDebugPrivilege	1708	qdcmsxh.exe
Token: SeRestorePrivilege	1708	qdcmsxh.exe
Token: SeTakeOwnershipPrivilege	1708	qdcmsxh.exe
Token: SeDebugPrivilege	1708	qdcmsxh.exe
Token: SeSecurityPrivilege	1708	qdcmsxh.exe
Token: SeBackupPrivilege	832	~bantrnd.exe
Token: SeRestorePrivilege	832	~bantrnd.exe
Token: SeTakeOwnershipPrivilege	832	~bantrnd.exe
Token: SeRestorePrivilege	872	Rundll32.exe
Token: SeRestorePrivilege	872	Rundll32.exe
Token: SeRestorePrivilege	872	Rundll32.exe
Token: SeRestorePrivilege	872	Rundll32.exe
Token: SeRestorePrivilege	872	Rundll32.exe
Token: SeRestorePrivilege	872	Rundll32.exe
Token: SeRestorePrivilege	872	Rundll32.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

pid	process
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

pid	process
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exeRundll32.exerunonce.execmd.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1936	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
PID 2044 wrote to memory of 1936	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
PID 2044 wrote to memory of 1936	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
PID 2044 wrote to memory of 1936	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
PID 2044 wrote to memory of 912	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	nbbxugv.exe
PID 2044 wrote to memory of 912	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	nbbxugv.exe
PID 2044 wrote to memory of 912	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	nbbxugv.exe
PID 2044 wrote to memory of 912	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	nbbxugv.exe
PID 2044 wrote to memory of 1340	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1340	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1340	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1340	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1908	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1908	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1908	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1908	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 1708	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	qdcmsxh.exe
PID 2044 wrote to memory of 1708	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	qdcmsxh.exe
PID 2044 wrote to memory of 1708	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	qdcmsxh.exe
PID 2044 wrote to memory of 1708	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	qdcmsxh.exe
PID 2044 wrote to memory of 832	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 832	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 832	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 832	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	~bantrnd.exe
PID 2044 wrote to memory of 872	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	Rundll32.exe
PID 2044 wrote to memory of 872	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	Rundll32.exe
PID 2044 wrote to memory of 872	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	Rundll32.exe
PID 2044 wrote to memory of 872	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	Rundll32.exe
PID 872 wrote to memory of 1388	872	Rundll32.exe	runonce.exe
PID 872 wrote to memory of 1388	872	Rundll32.exe	runonce.exe
PID 872 wrote to memory of 1388	872	Rundll32.exe	runonce.exe
PID 1388 wrote to memory of 588	1388	runonce.exe	grpconv.exe
PID 1388 wrote to memory of 588	1388	runonce.exe	grpconv.exe
PID 1388 wrote to memory of 588	1388	runonce.exe	grpconv.exe
PID 2044 wrote to memory of 1096	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1096	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1096	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1096	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1544	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1544	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1544	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 2044 wrote to memory of 1544	2044	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe	cmd.exe
PID 1096 wrote to memory of 268	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 268	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 268	1096	cmd.exe	PING.EXE
PID 1544 wrote to memory of 848	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 848	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 848	1544	cmd.exe	PING.EXE
PID 1096 wrote to memory of 336	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 336	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 336	1096	cmd.exe	PING.EXE

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe

C:\Users\Admin\AppData\Local\Temp\a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
"C:\Users\Admin\AppData\Local\Temp\a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044

C:\Users\Admin\AppData\Local\Temp\a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe
C:\Users\Admin\AppData\Local\Temp\a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e.exe /nstart
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe /HomeRegAccess10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe
C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe
C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\qdcmsxh.exe
C:\Users\Admin\AppData\Local\Temp\qdcmsxh.exe /HomeRegAccess10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe
C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\Rundll32.exe
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~nxziiyd.inf
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
PID:588

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RwUNA9P.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:268

C:\Windows\system32\PING.EXE
ping -n 3 127.0.0.1
3⤵
- Runs ping.exe
PID:336

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IR5VOdt.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1936pymbaqi
Filesize
555KB

MD5
56e10362f680aee56057f3d77af4adae

SHA1
4ee12aa75792405f8fe222f621c18ed4ab3ebea1

SHA256
0e5b405a2fd9acf8da6edccc04cf5036c67005ab12ff557b3c6625f59966858a

SHA512
7b61957ed85a6e4ede03399abcea46ae262ce856f498624c5cfeb16230384eb5e58a72606477dc1a7bf9bcc2c3f751f02f62aae26ad0b4caab2c12452d447fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IR5VOdt.bat
Filesize
689B

MD5
0d21915577640b02ffe3a0e2e0da0832

SHA1
6dc3cefe5a9cf34ffe0a1053bf2b8c9cd3a946ea

SHA256
5bf9ec6a7917b15f6058a6cf2e416aa8386f4eb432475c19262140879c6de946

SHA512
ebd57e50d7b06aae227cd75a7365a732ab8c4824170ca5d9ef2337c7782f278400a199647899585c6f17947678844b85ff9fdb63af5e3384da5cdc646b67d870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IR5VOdt.bat
Filesize
689B

MD5
0d21915577640b02ffe3a0e2e0da0832

SHA1
6dc3cefe5a9cf34ffe0a1053bf2b8c9cd3a946ea

SHA256
5bf9ec6a7917b15f6058a6cf2e416aa8386f4eb432475c19262140879c6de946

SHA512
ebd57e50d7b06aae227cd75a7365a732ab8c4824170ca5d9ef2337c7782f278400a199647899585c6f17947678844b85ff9fdb63af5e3384da5cdc646b67d870

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwUNA9P.bat
Filesize
465B

MD5
1b3f9a0f5dc07db9f7d9439f3b363d0a

SHA1
41c54518a36fbfe87d8403137fc77170c7aef6d0

SHA256
56565907b892d7a9e1376c2dd68eb8d770e9e194c47f506d3161802774389ca4

SHA512
74c972338e4b0ee85acdcfb9f5d4931641b7e86f9d062cfc2e6503bb7ede70db829cb56a53b06bb40d2e3a886a21aac7896fc1e9b75560b618656cfb86dcfade

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwUNA9P.bat
Filesize
465B

MD5
1b3f9a0f5dc07db9f7d9439f3b363d0a

SHA1
41c54518a36fbfe87d8403137fc77170c7aef6d0

SHA256
56565907b892d7a9e1376c2dd68eb8d770e9e194c47f506d3161802774389ca4

SHA512
74c972338e4b0ee85acdcfb9f5d4931641b7e86f9d062cfc2e6503bb7ede70db829cb56a53b06bb40d2e3a886a21aac7896fc1e9b75560b618656cfb86dcfade

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut1A26.tmp
Filesize
99KB

MD5
de06d1033a0e648527680f3f20ebc1d7

SHA1
46ce22ec6623a96abb628a8672e287e1e1666eba

SHA256
0326b571cc7e15d21faf10ac357a541b69b9030b9dc134c5c0e13b931e03c344

SHA512
2bbb2647d24881dc78f35fbdc62e1789cc9c25096683f0a2bad46491eea3dcf7f65671fb7103d57ce0775fe4ea8ab98436c780c2db0c4c54a22ae22a3aec103a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbbxugv.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdcmsxh.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdcmsxh.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nxziiyd.inf
Filesize
32B

MD5
8f5f4837dd4a1680d79bbdca9cc1e08f

SHA1
688b5d5ef993733b97b303ed4c8409a14b230de5

SHA256
2bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2

SHA512
bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
Filesize
151B

MD5
988ea61855eab89ff1f69e884a6bee04

SHA1
5d4792d34fe3939301eefa968ab5b5e8d415aec1

SHA256
010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1

SHA512
eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
Filesize
87B

MD5
b2d6dfebf17bd825f5b31fca23a7548e

SHA1
5305a4abf9af0252fecd9b767139b744e188d861

SHA256
246010b68ee68ef3d435522f2e62ce03e5515d52868621f3d2f41d1f669021fb

SHA512
afbc19ff0e9f5da3a90081cea0e131057f8ddafe85507a14e410969b893192d6dadfb7ec59498c1c1cc6a58d4f2f9779937811c57c3203d1d0b69a7be2cadd2c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nbbxugv.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
\Users\Admin\AppData\Local\Temp\nbbxugv.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
\Users\Admin\AppData\Local\Temp\qdcmsxh.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
\Users\Admin\AppData\Local\Temp\qdcmsxh.exe
Filesize
6.1MB

MD5
00a1a71e26b6b9e3528e6f1d80daff4b

SHA1
111e896d9001fc78774cabde3826d5078ccbd1fd

SHA256
a07ef7ef6464a773bfce163273cc770c726da9307661cb826c8fe3a566b2fe7e

SHA512
1b5ea6d0f6409b1b4cfba74c0a680c2f67f325b0489388d165449aacac1df4abe54133b1c49db3ad1cf93a2b48bb24d1efb33b49657e2c796f6b0f87df3a90cd

Download Submit
\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~bantrnd.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
memory/912-89-0x00000000008C0000-0x000000000151C000-memory.dmp

Filesize
12.4MB

Download
memory/912-114-0x00000000008C0000-0x000000000151C000-memory.dmp

Filesize
12.4MB

Download
memory/1708-214-0x00000000003A0000-0x0000000000FFC000-memory.dmp

Filesize
12.4MB

Download
memory/1708-126-0x00000000003A0000-0x0000000000FFC000-memory.dmp

Filesize
12.4MB

Download
memory/1708-147-0x00000000003A0000-0x0000000000FFC000-memory.dmp

Filesize
12.4MB

Download
memory/1936-69-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/1936-109-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-88-0x00000000097C0000-0x000000000A41C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-148-0x00000000097C0000-0x000000000A41C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-144-0x0000000006410000-0x000000000706C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-141-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-140-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-125-0x00000000097C0000-0x000000000A41C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-124-0x00000000097C0000-0x000000000A41C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-215-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-106-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-60-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-87-0x00000000097C0000-0x000000000A41C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-68-0x0000000006410000-0x000000000706C000-memory.dmp

Filesize
12.4MB

Download
memory/2044-233-0x0000000000CB0000-0x000000000190C000-memory.dmp

Filesize
12.4MB

Download