ee320fdb489f569b02dc934f9e5a12e66a031b3c2a4956d1b29fc4a3f3ab92ba

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb826ea46d4e61c979ad83cf0dd684f.exe
Size

1.1MB
MD5

8fb826ea46d4e61c979ad83cf0dd684f
SHA1

b0f417beea49fec51bb57912f9e719b4d708b22e
SHA256

ee320fdb489f569b02dc934f9e5a12e66a031b3c2a4956d1b29fc4a3f3ab92ba
SHA512

77b2923479a737b315d003e222bfcf0bf4d7cdc843d3ab7654c9ba87a48d34c53803d0ba18d756c9febacd0916f3f410d0d8372a51418d9b8ad2247c0f86d9d5
SSDEEP

24576:W+pA7U7VqM/qVNN1zJaFWJLiuz6B/7wP4QKaYxl2e/:LB7Vq7VTVJac+zB/MPdExl2e/

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\msconfig32\\msconfig32.exe"	reg.exe

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lsoss32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lsoss32.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\msconfig32\msconfig32.exe = "C:\\Windows\\msconfig32\\msconfig32.exe:*:Enabled:Windows Messanger"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	msconfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\winupdt32 = "C:\\Users\\Admin\\AppData\\Roaming\\lsoss32.exe"	msconfig32.exe

Executes dropped EXE 3 IoCs

pid	Process
2012	msconfig32.exe
1304	msconfig32.exe
1064	msconfig32.exe

Loads dropped DLL 4 IoCs

pid	Process
1476	8fb826ea46d4e61c979ad83cf0dd684f.exe
1476	8fb826ea46d4e61c979ad83cf0dd684f.exe
1476	8fb826ea46d4e61c979ad83cf0dd684f.exe
1476	8fb826ea46d4e61c979ad83cf0dd684f.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1476-67-0x0000000000400000-0x00000000007D4000-memory.dmp	upx
behavioral1/files/0x000700000001276d-136.dat	upx
behavioral1/files/0x000700000001276d-137.dat	upx
behavioral1/files/0x000700000001276d-141.dat	upx
behavioral1/files/0x000700000001276d-146.dat	upx
behavioral1/files/0x000700000001276d-144.dat	upx
behavioral1/files/0x000700000001276d-148.dat	upx
behavioral1/memory/1476-149-0x0000000000400000-0x00000000007D4000-memory.dmp	upx
behavioral1/memory/2012-152-0x0000000000400000-0x00000000007D4000-memory.dmp	upx
behavioral1/files/0x000700000001276d-155.dat	upx
behavioral1/memory/1064-159-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x000700000001276d-162.dat	upx
behavioral1/memory/2012-164-0x0000000000400000-0x00000000007D4000-memory.dmp	upx
behavioral1/memory/1064-165-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1064-167-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x000700000001276d-171.dat	upx
behavioral1/memory/1064-175-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig32 = "C:\\Windows\\msconfig32\\msconfig32.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msconfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winupdt32 = "C:\\Users\\Admin\\AppData\\Roaming\\lsoss32.exe"	msconfig32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msconfig32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdt32 = "C:\\Users\\Admin\\AppData\\Roaming\\lsoss32.exe"	msconfig32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\msconfig32 = "C:\\Windows\\msconfig32\\msconfig32.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1304	2012	msconfig32.exe	41
PID 2012 set thread context of 1064	2012	msconfig32.exe	42

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msconfig32\msconfig32.txt	8fb826ea46d4e61c979ad83cf0dd684f.exe
File opened for modification	C:\Windows\msconfig32\msconfig32.txt	8fb826ea46d4e61c979ad83cf0dd684f.exe
File created	C:\Windows\msconfig32\msconfig32.exe	8fb826ea46d4e61c979ad83cf0dd684f.exe
File opened for modification	C:\Windows\msconfig32\msconfig32.exe	msconfig32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
840	reg.exe
2040	reg.exe
924	reg.exe
564	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1304	msconfig32.exe
Token: SeCreateTokenPrivilege	1304	msconfig32.exe
Token: SeAssignPrimaryTokenPrivilege	1304	msconfig32.exe
Token: SeLockMemoryPrivilege	1304	msconfig32.exe
Token: SeIncreaseQuotaPrivilege	1304	msconfig32.exe
Token: SeMachineAccountPrivilege	1304	msconfig32.exe
Token: SeTcbPrivilege	1304	msconfig32.exe
Token: SeSecurityPrivilege	1304	msconfig32.exe
Token: SeTakeOwnershipPrivilege	1304	msconfig32.exe
Token: SeLoadDriverPrivilege	1304	msconfig32.exe
Token: SeSystemProfilePrivilege	1304	msconfig32.exe
Token: SeSystemtimePrivilege	1304	msconfig32.exe
Token: SeProfSingleProcessPrivilege	1304	msconfig32.exe
Token: SeIncBasePriorityPrivilege	1304	msconfig32.exe
Token: SeCreatePagefilePrivilege	1304	msconfig32.exe
Token: SeCreatePermanentPrivilege	1304	msconfig32.exe
Token: SeBackupPrivilege	1304	msconfig32.exe
Token: SeRestorePrivilege	1304	msconfig32.exe
Token: SeShutdownPrivilege	1304	msconfig32.exe
Token: SeDebugPrivilege	1304	msconfig32.exe
Token: SeAuditPrivilege	1304	msconfig32.exe
Token: SeSystemEnvironmentPrivilege	1304	msconfig32.exe
Token: SeChangeNotifyPrivilege	1304	msconfig32.exe
Token: SeRemoteShutdownPrivilege	1304	msconfig32.exe
Token: SeUndockPrivilege	1304	msconfig32.exe
Token: SeSyncAgentPrivilege	1304	msconfig32.exe
Token: SeEnableDelegationPrivilege	1304	msconfig32.exe
Token: SeManageVolumePrivilege	1304	msconfig32.exe
Token: SeImpersonatePrivilege	1304	msconfig32.exe
Token: SeCreateGlobalPrivilege	1304	msconfig32.exe
Token: 31	1304	msconfig32.exe
Token: 32	1304	msconfig32.exe
Token: 33	1304	msconfig32.exe
Token: 34	1304	msconfig32.exe
Token: 35	1304	msconfig32.exe
Token: SeDebugPrivilege	1064	msconfig32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1476	8fb826ea46d4e61c979ad83cf0dd684f.exe
2012	msconfig32.exe
1304	msconfig32.exe
1304	msconfig32.exe
1064	msconfig32.exe
1304	msconfig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2040	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	27
PID 1476 wrote to memory of 2040	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	27
PID 1476 wrote to memory of 2040	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	27
PID 1476 wrote to memory of 2040	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	27
PID 2040 wrote to memory of 672	2040	cmd.exe	29
PID 2040 wrote to memory of 672	2040	cmd.exe	29
PID 2040 wrote to memory of 672	2040	cmd.exe	29
PID 2040 wrote to memory of 672	2040	cmd.exe	29
PID 2040 wrote to memory of 2020	2040	cmd.exe	30
PID 2040 wrote to memory of 2020	2040	cmd.exe	30
PID 2040 wrote to memory of 2020	2040	cmd.exe	30
PID 2040 wrote to memory of 2020	2040	cmd.exe	30
PID 1476 wrote to memory of 1400	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	31
PID 1476 wrote to memory of 1400	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	31
PID 1476 wrote to memory of 1400	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	31
PID 1476 wrote to memory of 1400	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	31
PID 1400 wrote to memory of 1640	1400	cmd.exe	33
PID 1400 wrote to memory of 1640	1400	cmd.exe	33
PID 1400 wrote to memory of 1640	1400	cmd.exe	33
PID 1400 wrote to memory of 1640	1400	cmd.exe	33
PID 1476 wrote to memory of 848	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	34
PID 1476 wrote to memory of 848	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	34
PID 1476 wrote to memory of 848	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	34
PID 1476 wrote to memory of 848	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	34
PID 848 wrote to memory of 1920	848	cmd.exe	36
PID 848 wrote to memory of 1920	848	cmd.exe	36
PID 848 wrote to memory of 1920	848	cmd.exe	36
PID 848 wrote to memory of 1920	848	cmd.exe	36
PID 1476 wrote to memory of 1964	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	37
PID 1476 wrote to memory of 1964	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	37
PID 1476 wrote to memory of 1964	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	37
PID 1476 wrote to memory of 1964	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	37
PID 1964 wrote to memory of 1040	1964	cmd.exe	39
PID 1964 wrote to memory of 1040	1964	cmd.exe	39
PID 1964 wrote to memory of 1040	1964	cmd.exe	39
PID 1964 wrote to memory of 1040	1964	cmd.exe	39
PID 1476 wrote to memory of 2012	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	40
PID 1476 wrote to memory of 2012	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	40
PID 1476 wrote to memory of 2012	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	40
PID 1476 wrote to memory of 2012	1476	8fb826ea46d4e61c979ad83cf0dd684f.exe	40
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1304	2012	msconfig32.exe	41
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 2012 wrote to memory of 1064	2012	msconfig32.exe	42
PID 1304 wrote to memory of 756	1304	msconfig32.exe	43
PID 1304 wrote to memory of 756	1304	msconfig32.exe	43
PID 1304 wrote to memory of 756	1304	msconfig32.exe	43
PID 1304 wrote to memory of 756	1304	msconfig32.exe	43
PID 1304 wrote to memory of 752	1304	msconfig32.exe	44
PID 1304 wrote to memory of 752	1304	msconfig32.exe	44

C:\Users\Admin\AppData\Local\Temp\8fb826ea46d4e61c979ad83cf0dd684f.exe
"C:\Users\Admin\AppData\Local\Temp\8fb826ea46d4e61c979ad83cf0dd684f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DRESJH.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OBXwo.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uTsry.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pfyia.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\msconfig32\msconfig32.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    PID:1040
- C:\Windows\msconfig32\msconfig32.exe
  "C:\Windows\msconfig32\msconfig32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\msconfig32\msconfig32.exe
    C:\Windows\msconfig32\msconfig32.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      PID:648
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:564
- - C:\Windows\msconfig32\msconfig32.exe
    C:\Windows\msconfig32\msconfig32.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DRESJH.bat

Filesize
255B

MD5
180e420d8578c4341546b0f2676f52c5

SHA1
3683c541fe1ad96c37fcfa91f3d819f2c43ccf84

SHA256
27bad6b003d19c5063cfc49ee5828c5ebb82659ee5c89ed2df20ae1c4917ba28

SHA512
5bbcdd40178a399dd4e879e39328824c47edc39a040b7d1eed90368bbdab0d51d9cb187357cc3a223ed22086ff650c10f3841fc9bb50469eb9a72ca343c77ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRESJH.bat

Filesize
255B

MD5
180e420d8578c4341546b0f2676f52c5

SHA1
3683c541fe1ad96c37fcfa91f3d819f2c43ccf84

SHA256
27bad6b003d19c5063cfc49ee5828c5ebb82659ee5c89ed2df20ae1c4917ba28

SHA512
5bbcdd40178a399dd4e879e39328824c47edc39a040b7d1eed90368bbdab0d51d9cb187357cc3a223ed22086ff650c10f3841fc9bb50469eb9a72ca343c77ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OBXwo.bat

Filesize
133B

MD5
4e99d945ca61ed0b261a73d985f5420e

SHA1
ce08b5c3939572703ae753bfa72c0224400d7bb2

SHA256
ddcc7514a0ca6c4c261d55a5c818136cb6035676d1a56dbb224734c5db1a3064

SHA512
988b5bab81311ca5efd773fdd8c872173b42bebce79467615c7ad5ffdb3a0f670300b1d39ab86f62b2a6bea2aa140abfaca211b2c868c4a412a6d5a4c4a8fb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OBXwo.bat

Filesize
133B

MD5
4e99d945ca61ed0b261a73d985f5420e

SHA1
ce08b5c3939572703ae753bfa72c0224400d7bb2

SHA256
ddcc7514a0ca6c4c261d55a5c818136cb6035676d1a56dbb224734c5db1a3064

SHA512
988b5bab81311ca5efd773fdd8c872173b42bebce79467615c7ad5ffdb3a0f670300b1d39ab86f62b2a6bea2aa140abfaca211b2c868c4a412a6d5a4c4a8fb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pfyia.bat

Filesize
164B

MD5
0af5f35091719d8ee61893a158b66625

SHA1
1f81728601f8714bfa7e2ca92f9d6a8f6aa89700

SHA256
ceac3aee5e97d760c72b18d62c3dfc7d73904366e230c2362c49e8ed700d46f9

SHA512
f01c7ecbb9682c2469628f7d1c7e38891b1b9352a27eed50e3597b281fc136f18a6deb4ca04843f632cce295dd8f194ff8c37d31d7167a7a25734d0789bf9baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pfyia.bat

Filesize
164B

MD5
0af5f35091719d8ee61893a158b66625

SHA1
1f81728601f8714bfa7e2ca92f9d6a8f6aa89700

SHA256
ceac3aee5e97d760c72b18d62c3dfc7d73904366e230c2362c49e8ed700d46f9

SHA512
f01c7ecbb9682c2469628f7d1c7e38891b1b9352a27eed50e3597b281fc136f18a6deb4ca04843f632cce295dd8f194ff8c37d31d7167a7a25734d0789bf9baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uTsry.bat

Filesize
133B

MD5
5c5f6bd3f5ab15437a8d5a452f236cc7

SHA1
43dc4c4bcee42f7975f0027e2734c57115e5d7ce

SHA256
8f96e1c2750dc729faf255eb4df3f1e501d3394d8043f69dc56036a03b9ed947

SHA512
eed35f38654e1c5b4c1ea010f93d6be03250b77bd0e6f79ce12aaaa7333b9346afbd328f4de21e3fa6948d252cb9203a8bd103e0058c129d3130e7399e18b08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uTsry.bat

Filesize
133B

MD5
5c5f6bd3f5ab15437a8d5a452f236cc7

SHA1
43dc4c4bcee42f7975f0027e2734c57115e5d7ce

SHA256
8f96e1c2750dc729faf255eb4df3f1e501d3394d8043f69dc56036a03b9ed947

SHA512
eed35f38654e1c5b4c1ea010f93d6be03250b77bd0e6f79ce12aaaa7333b9346afbd328f4de21e3fa6948d252cb9203a8bd103e0058c129d3130e7399e18b08f

Download Submit
C:\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
C:\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
C:\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
C:\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
C:\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
\Windows\msconfig32\msconfig32.exe

Filesize
1.1MB

MD5
1718c82cccfca4df051b2786e17ba893

SHA1
c115db6257caf357fed91a69949bfa11bc4ae7d1

SHA256
5598ac0322f2c778a6c338d5571e41d2d76c34d06fa5424090e8ba25745b000c

SHA512
550f59aca0150fbc3e9c6076c5628c16825d18cf9e4b1aa700b29755a39400d58c2aefcef6d6cd4dd39972e04d058456c3c57bc1e61ec6c4c9355eeacd5a6e31

Download Submit
memory/1064-175-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1064-165-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1064-159-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1064-167-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1304-176-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-189-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-203-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-200-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-198-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-174-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-177-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-179-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-182-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-184-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-186-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-196-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-191-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1304-193-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1476-149-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download
memory/1476-67-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download
memory/2012-164-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download
memory/2012-152-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads