Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe
Resource
win7-20231023-en
General
-
Target
NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe
-
Size
198KB
-
MD5
000eecf4a8e2d22481e515a215ae0c40
-
SHA1
9685ff6beb409e38ae909a8bf8b177e9e66a7038
-
SHA256
5bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
-
SHA512
49a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
SSDEEP
1536:QMcdBvnPrNQKpxLwW/diJ+ZNikxEYCkAqoYTMCuBFgfav633KhpsO:6vhDLZ/sJ+ukxhCaTNS6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 1AE009.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\39EB0E4C58B56721\1AE009.exe = "C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe:*:Enabled:@xpsp2res.dll,-70554750" 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 1AE009.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\39EB0E4C58B56721\1AE009.exe = "C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe:*:Enabled:@xpsp2res.dll,-57951861" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\39EB0E4C58B56721\1AE009.exe = "C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe:*:Enabled:@xpsp2res.dll,-28956246" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1AE009.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1AE009.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\39EB0E4C58B56721\1AE009.exe = "C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe:*:Enabled:@xpsp2res.dll,-53342401" 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1AE009.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 1AE009.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" 1AE009.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" 1AE009.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1AE009.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" 1AE009.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1AE009.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1AE009.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 1AE009.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsecomr.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efinet32.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efinet32.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ewido.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupdate.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamapp.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmoon.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservices.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restart.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2.exe\Debugger = "\"C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe 1AE009.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe 1AE009.exe -
Executes dropped EXE 2 IoCs
pid Process 3000 1AE009.exe 5112 1AE009.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2176-2-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/2176-4-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/2176-6-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/2176-19-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/5112-25-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/5112-1249-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/5112-1890-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/5112-1910-0x0000000000400000-0x0000000000447000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 1AE009.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\39EB0E4C58B56721\\1AE009.exe" 1AE009.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1AE009.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3744 set thread context of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3000 set thread context of 5112 3000 1AE009.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Sound 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Sound\Beep = "no" 1AE009.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://13810ow25fm92wl.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://b39ri66d6472f0u.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://q1es201d2p0499d.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://5fk0z88ut14kiw4.directorio-w.com" 1AE009.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Download 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://su8400o7754s4n8.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://333a671dvcy2c6k.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://02ze1rlex2y99rg.directorio-w.com" 1AE009.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" 1AE009.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main 1AE009.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://268dkpf205e6tqn.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" 1AE009.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://8afml5sx957g7to.directorio-w.com" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://5i0s8t958la20zf.directorio-w.com" 1AE009.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open 1AE009.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec 1AE009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" 1AE009.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5112 1AE009.exe 5112 1AE009.exe 5112 1AE009.exe 5112 1AE009.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 5112 1AE009.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 2176 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 3000 1AE009.exe 5112 1AE009.exe 5112 1AE009.exe 5112 1AE009.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 3744 wrote to memory of 2176 3744 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 91 PID 2176 wrote to memory of 3000 2176 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 93 PID 2176 wrote to memory of 3000 2176 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 93 PID 2176 wrote to memory of 3000 2176 NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe 93 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 PID 3000 wrote to memory of 5112 3000 1AE009.exe 94 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" 1AE009.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1AE009.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.000eecf4a8e2d22481e515a215ae0c40_JC.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\39EB0E4C58B56721\1AE009.exe"C:\Users\Admin\39EB0E4C58B56721\1AE009.exe" 8BC658293⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\39EB0E4C58B56721\1AE009.exe"C:\Users\Admin\39EB0E4C58B56721\1AE009.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5112
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:5064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
198KB
MD5000eecf4a8e2d22481e515a215ae0c40
SHA19685ff6beb409e38ae909a8bf8b177e9e66a7038
SHA2565bfd8bcdd2c1c8eba547526e2593c53e7b66fecf98439a062a7c241be24e8e93
SHA51249a2abfd40e732df68bf08f34d218edc1e728133512e0395bd96f17d3845cf041a96db0bd9a04b5371e4f0450656ac014ae70e6cc1518657dc1fbac7878cdcd6
-
Filesize
2KB
MD5f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1f4eda06901edb98633a686b11d02f4925f827bf0
SHA2568d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA51262514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436
-
Filesize
4KB
MD5d65ec06f21c379c87040b83cc1abac6b
SHA1208d0a0bb775661758394be7e4afb18357e46c8b
SHA256a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA5128a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e