d567c094f9edb7b64d89bc9d2b0e55a3832a41e6e37df15453d7b75da08b3b8b

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bb6820a207ca3b8b1b27b431a5d1d01.exe
Size

304KB
MD5

0bb6820a207ca3b8b1b27b431a5d1d01
SHA1

831e6f2881174b6a17ffad990b7cee3aa62a462f
SHA256

d567c094f9edb7b64d89bc9d2b0e55a3832a41e6e37df15453d7b75da08b3b8b
SHA512

25e5bc7dd6cb08ad0e22868aa31f48a4bdcc917dc4020510bfdacc4f64e92c1f6dfd7d167d41a0fbf04c7ed8d0d67270fc544014cda6ec5e9abee0252936eafd
SSDEEP

1536:dxxEwxUuYgqyyAR8bInT7egSbT4E3CWl3+IZIo+bq:jx9xR3qG8bIT7AYSCWHZA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\IcePoint.exe = "C:\\Windows\\IcePoint.exe"	0bb6820a207ca3b8b1b27b431a5d1d01.exe

Deletes itself 1 IoCs

pid	Process
2128	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	IcePoint.exe

Loads dropped DLL 5 IoCs

pid	Process
2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe
2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe
2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe
2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe
2880	IcePoint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	0bb6820a207ca3b8b1b27b431a5d1d01.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe
File opened for modification	C:\Windows\IPdriver.exe	0bb6820a207ca3b8b1b27b431a5d1d01.exe
File created	C:\Windows\IcePoint.exe	0bb6820a207ca3b8b1b27b431a5d1d01.exe
File opened for modification	C:\Windows\IcePoint.exe	0bb6820a207ca3b8b1b27b431a5d1d01.exe
File created	C:\Windows\IcePoint.exe	IcePoint.exe
File opened for modification	C:\Windows\IcePoint.exe	IcePoint.exe
File created	C:\Windows\driver.inf	0bb6820a207ca3b8b1b27b431a5d1d01.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2580	sc.exe
2152	sc.exe
1532	sc.exe
3060	sc.exe
2640	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP6)"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	0bb6820a207ca3b8b1b27b431a5d1d01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	0bb6820a207ca3b8b1b27b431a5d1d01.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2680	Rundll32.exe
Token: SeRestorePrivilege	2680	Rundll32.exe
Token: SeRestorePrivilege	2680	Rundll32.exe
Token: SeRestorePrivilege	2680	Rundll32.exe
Token: SeRestorePrivilege	2680	Rundll32.exe
Token: SeRestorePrivilege	2680	Rundll32.exe
Token: SeRestorePrivilege	2680	Rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe
2880	IcePoint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2880	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	28
PID 2420 wrote to memory of 2880	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	28
PID 2420 wrote to memory of 2880	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	28
PID 2420 wrote to memory of 2880	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	28
PID 2420 wrote to memory of 2128	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	29
PID 2420 wrote to memory of 2128	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	29
PID 2420 wrote to memory of 2128	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	29
PID 2420 wrote to memory of 2128	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	29
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2420 wrote to memory of 2680	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	30
PID 2680 wrote to memory of 2620	2680	Rundll32.exe	32
PID 2680 wrote to memory of 2620	2680	Rundll32.exe	32
PID 2680 wrote to memory of 2620	2680	Rundll32.exe	32
PID 2680 wrote to memory of 2620	2680	Rundll32.exe	32
PID 2420 wrote to memory of 2188	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	59
PID 2420 wrote to memory of 2188	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	59
PID 2420 wrote to memory of 2188	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	59
PID 2420 wrote to memory of 2188	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	59
PID 2420 wrote to memory of 2580	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	58
PID 2420 wrote to memory of 2580	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	58
PID 2420 wrote to memory of 2580	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	58
PID 2420 wrote to memory of 2580	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	58
PID 2420 wrote to memory of 2628	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	57
PID 2420 wrote to memory of 2628	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	57
PID 2420 wrote to memory of 2628	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	57
PID 2420 wrote to memory of 2628	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	57
PID 2420 wrote to memory of 2640	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	56
PID 2420 wrote to memory of 2640	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	56
PID 2420 wrote to memory of 2640	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	56
PID 2420 wrote to memory of 2640	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	56
PID 2420 wrote to memory of 1568	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	55
PID 2420 wrote to memory of 1568	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	55
PID 2420 wrote to memory of 1568	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	55
PID 2420 wrote to memory of 1568	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	55
PID 2420 wrote to memory of 3060	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	54
PID 2420 wrote to memory of 3060	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	54
PID 2420 wrote to memory of 3060	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	54
PID 2420 wrote to memory of 3060	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	54
PID 2420 wrote to memory of 1396	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	53
PID 2420 wrote to memory of 1396	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	53
PID 2420 wrote to memory of 1396	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	53
PID 2420 wrote to memory of 1396	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	53
PID 2420 wrote to memory of 1532	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	52
PID 2420 wrote to memory of 1532	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	52
PID 2420 wrote to memory of 1532	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	52
PID 2420 wrote to memory of 1532	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	52
PID 2420 wrote to memory of 3064	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	44
PID 2420 wrote to memory of 3064	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	44
PID 2420 wrote to memory of 3064	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	44
PID 2420 wrote to memory of 3064	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	44
PID 2420 wrote to memory of 2152	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	42
PID 2420 wrote to memory of 2152	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	42
PID 2420 wrote to memory of 2152	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	42
PID 2420 wrote to memory of 2152	2420	0bb6820a207ca3b8b1b27b431a5d1d01.exe	42
PID 2620 wrote to memory of 2040	2620	runonce.exe	41
PID 2620 wrote to memory of 2040	2620	runonce.exe	41
PID 2620 wrote to memory of 2040	2620	runonce.exe	41
PID 2620 wrote to memory of 2040	2620	runonce.exe	41
PID 2188 wrote to memory of 2928	2188	net.exe	51

C:\Users\Admin\AppData\Local\Temp\0bb6820a207ca3b8b1b27b431a5d1d01.exe
"C:\Users\Admin\AppData\Local\Temp\0bb6820a207ca3b8b1b27b431a5d1d01.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\IcePoint.exe
  C:\Windows\IcePoint.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\kill.bat""
  2⤵
  - Deletes itself
  PID:2128
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\driver.inf
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:2040
- C:\Windows\SysWOW64\sc.exe
  sc config "Automatic Updates" start= DISABLED
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Automatic Updates"
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates"
    3⤵
    PID:2028
- C:\Windows\SysWOW64\sc.exe
  sc config "TCP/IP NetBIOS Helper" start= DISABLED
  2⤵
  - Launches sc.exe
  PID:1532
- C:\Windows\SysWOW64\net.exe
  net.exe stop "TCP/IP NetBIOS Helper"
  2⤵
  PID:1396
- C:\Windows\SysWOW64\sc.exe
  sc config "System Restore Service" start= DISABLED
  2⤵
  - Launches sc.exe
  PID:3060
- C:\Windows\SysWOW64\net.exe
  net.exe stop "System Restore Service"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\sc.exe
  sc config sharedaccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess
  2⤵
  PID:2628
- C:\Windows\SysWOW64\sc.exe
  sc config "Windows Firewall/Internet Connection Sharing (ICS)" start= DISABLED
  2⤵
  - Launches sc.exe
  PID:2580
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TCP/IP NetBIOS Helper"
1⤵
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "System Restore Service"
1⤵
PID:280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess
1⤵
PID:1232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IcePoint.exe

Filesize
304KB

MD5
0bb6820a207ca3b8b1b27b431a5d1d01

SHA1
831e6f2881174b6a17ffad990b7cee3aa62a462f

SHA256
d567c094f9edb7b64d89bc9d2b0e55a3832a41e6e37df15453d7b75da08b3b8b

SHA512
25e5bc7dd6cb08ad0e22868aa31f48a4bdcc917dc4020510bfdacc4f64e92c1f6dfd7d167d41a0fbf04c7ed8d0d67270fc544014cda6ec5e9abee0252936eafd

Download Submit
C:\Windows\driver.inf

Filesize
335B

MD5
973cbf35c141828af81be552554bd8f3

SHA1
1365fa38657dc45d5ad82f0bdd263cba53990242

SHA256
7402d5d4553d85933de4d184f27512658b101159258252945e3b80a69c064bec

SHA512
3ccfb39213f62e033baac14faa39e3563ba62af341c4fd1dafde188f3e8c35fd2c76e357a23d1cc274f5931d17dbbd4a0faa7496e53e699b4a13a6e27025ebbe

Download Submit
C:\kill.bat

Filesize
190B

MD5
050dc8b580649aee71419fef22bcb5a9

SHA1
0eae59158f2abc5722c9e112fb22d9badbbb94cb

SHA256
92170bdcdb6d0122046d0a1b5982b5feed2b114a1565dc84c7807211f9032187

SHA512
7f9bb43da4a220ca7fdf2b81f9b22b962b3af427a5fc35d636ff64d61e553ed4172f019376354fbf1cf2bc7b9ad2d2da6623b9769e0dd72b5998db8ab763eba3

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads