f3d9f86ad6edd9e597c39fc1542b81b1297e98d80148ca6e448dd3bdd08bf8b6

Analysis

max time kernel
144s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4015be0e49c809a29e861b509467854f.exe
Size

4.3MB
MD5

4015be0e49c809a29e861b509467854f
SHA1

ae005b39667c0b51c329de64702e4852d0f89643
SHA256

f3d9f86ad6edd9e597c39fc1542b81b1297e98d80148ca6e448dd3bdd08bf8b6
SHA512

a3116d07109dfc5372b5c468ec2c8af2af0e5f77cb27d6c9a30acb611b371710df2426d8793bf98958a66ed9134ccca6f8be73f4b72adb77423ffc03767c8055
SSDEEP

98304:Mmb0qw6nTOV1Q3BmBNt2wAILYeVk6ja3frHG:Dbu6nKV1QcNkI8fDG

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	reg.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	892	wscript.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000155f3-143.dat	acprotect

Executes dropped EXE 8 IoCs

pid	Process
2640	decomp.exe
2592	Bridge.exe
2092	Script.exe
2136	decomp.exe
2684	Attr.exe
2120	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
828	svchost.exe
1848	ScreenCapture.exe

Loads dropped DLL 17 IoCs

pid	Process
2364	4015be0e49c809a29e861b509467854f.exe
2364	4015be0e49c809a29e861b509467854f.exe
2364	4015be0e49c809a29e861b509467854f.exe
2364	4015be0e49c809a29e861b509467854f.exe
2592	Bridge.exe
2592	Bridge.exe
2592	Bridge.exe
2592	Bridge.exe
2592	Bridge.exe
2592	Bridge.exe
2780	regsvr32.exe
2592	Bridge.exe
2592	Bridge.exe
2592	Bridge.exe
828	svchost.exe
828	svchost.exe
892	wscript.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015018-18.dat	upx
behavioral1/memory/2364-24-0x00000000003E0000-0x00000000003EB000-memory.dmp	upx
behavioral1/memory/2640-32-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2640-35-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000014825-60.dat	upx
behavioral1/memory/2592-70-0x0000000000360000-0x0000000000370000-memory.dmp	upx
behavioral1/memory/2092-98-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2092-103-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/files/0x00090000000143ec-131.dat	upx
behavioral1/memory/2136-134-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000014af6-140.dat	upx
behavioral1/files/0x0007000000014abe-139.dat	upx
behavioral1/memory/2684-141-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x00060000000155f3-143.dat	upx
behavioral1/memory/1848-270-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service Monitor = "C:\\Windows\\SysWOW64\\Debugger\\svchost.exe"	svchost.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Debugger\kill_xp_firewall.bat	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Bridge.exe	4015be0e49c809a29e861b509467854f.exe
File created	C:\Windows\SysWOW64\decomp.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\decomp.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Script.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\ScreenCapture.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\svchost.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\New.vbs	Script.exe
File opened for modification	C:\Windows\SysWOW64\Script.tmp	Bridge.exe
File created	C:\Windows\SysWOW64\gizle.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\comctlogs.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\k.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\gizle.vbs	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\temp.bind	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\ScreenCapture.exe	Attr.exe
File created	C:\Windows\SysWOW64\Script.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Bridge.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Attr.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Script.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\aosmtp.dll.mail	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\config.dat	4015be0e49c809a29e861b509467854f.exe
File created	C:\Windows\SysWOW64\aosmtp.dll.mail	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Update.vbs	Script.exe
File opened for modification	C:\Windows\SysWOW64\Script.bak	Bridge.exe
File created	C:\Windows\SysWOW64\Attr.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Attr.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Extractor.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\FirstUpdate.vbs	Script.exe
File created	C:\Windows\SysWOW64\Script.tmp	Bridge.exe
File created	C:\Windows\SysWOW64\ScreenCapture.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\ScreenCapture.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\decomp.exe	Attr.exe
File created	C:\Windows\SysWOW64\Bridge.bak	Bridge.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\decomp.exe	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\aosmtp.dll.mail	4015be0e49c809a29e861b509467854f.exe
File opened for modification	C:\Windows\SysWOW64\aosmtp.dll	decomp.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\aosmtp.dll	decomp.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Bridge.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\Extractor.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\Debugger\svchost.exe	Attr.exe
File opened for modification	C:\Windows\SysWOW64\gizle.bak	Bridge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\VersionIndependentProgID\ = "AOSMTP.FastSender"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\InprocServer32\ = "C:\\Windows\\SysWow64\\aosmtp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ = "_IMailEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail\ = "Mail Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ProgID\ = "AOSMTP.FastSender.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail\CurVer\ = "AOSMTP.Mail.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32\ = "C:\\Windows\\SysWow64\\aosmtp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\ = "FastSender Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\ = "_IFastSenderEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\aosmtp.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ = "IMail"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ = "IMail"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail\CLSID\ = "{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\ = "Mail Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\VersionIndependentProgID\ = "AOSMTP.Mail"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\CLSID\ = "{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender.1\CLSID\ = "{69620165-77DD-44EE-995C-3632E525A22B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
828	svchost.exe
2120	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2364	4015be0e49c809a29e861b509467854f.exe
2640	decomp.exe
2592	Bridge.exe
2092	Script.exe
2136	decomp.exe
2684	Attr.exe
2120	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
2120	Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
828	svchost.exe
828	svchost.exe
1848	ScreenCapture.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2640	2364	4015be0e49c809a29e861b509467854f.exe	28
PID 2364 wrote to memory of 2640	2364	4015be0e49c809a29e861b509467854f.exe	28
PID 2364 wrote to memory of 2640	2364	4015be0e49c809a29e861b509467854f.exe	28
PID 2364 wrote to memory of 2640	2364	4015be0e49c809a29e861b509467854f.exe	28
PID 2364 wrote to memory of 2592	2364	4015be0e49c809a29e861b509467854f.exe	29
PID 2364 wrote to memory of 2592	2364	4015be0e49c809a29e861b509467854f.exe	29
PID 2364 wrote to memory of 2592	2364	4015be0e49c809a29e861b509467854f.exe	29
PID 2364 wrote to memory of 2592	2364	4015be0e49c809a29e861b509467854f.exe	29
PID 2592 wrote to memory of 2092	2592	Bridge.exe	30
PID 2592 wrote to memory of 2092	2592	Bridge.exe	30
PID 2592 wrote to memory of 2092	2592	Bridge.exe	30
PID 2592 wrote to memory of 2092	2592	Bridge.exe	30
PID 2092 wrote to memory of 2492	2092	Script.exe	31
PID 2092 wrote to memory of 2492	2092	Script.exe	31
PID 2092 wrote to memory of 2492	2092	Script.exe	31
PID 2092 wrote to memory of 2492	2092	Script.exe	31
PID 2592 wrote to memory of 2136	2592	Bridge.exe	32
PID 2592 wrote to memory of 2136	2592	Bridge.exe	32
PID 2592 wrote to memory of 2136	2592	Bridge.exe	32
PID 2592 wrote to memory of 2136	2592	Bridge.exe	32
PID 2492 wrote to memory of 320	2492	wscript.exe	33
PID 2492 wrote to memory of 320	2492	wscript.exe	33
PID 2492 wrote to memory of 320	2492	wscript.exe	33
PID 2492 wrote to memory of 320	2492	wscript.exe	33
PID 2592 wrote to memory of 2684	2592	Bridge.exe	35
PID 2592 wrote to memory of 2684	2592	Bridge.exe	35
PID 2592 wrote to memory of 2684	2592	Bridge.exe	35
PID 2592 wrote to memory of 2684	2592	Bridge.exe	35
PID 320 wrote to memory of 1308	320	cmd.exe	36
PID 320 wrote to memory of 1308	320	cmd.exe	36
PID 320 wrote to memory of 1308	320	cmd.exe	36
PID 320 wrote to memory of 1308	320	cmd.exe	36
PID 1308 wrote to memory of 1864	1308	net.exe	37
PID 1308 wrote to memory of 1864	1308	net.exe	37
PID 1308 wrote to memory of 1864	1308	net.exe	37
PID 1308 wrote to memory of 1864	1308	net.exe	37
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 2592 wrote to memory of 2780	2592	Bridge.exe	38
PID 320 wrote to memory of 1528	320	cmd.exe	39
PID 320 wrote to memory of 1528	320	cmd.exe	39
PID 320 wrote to memory of 1528	320	cmd.exe	39
PID 320 wrote to memory of 1528	320	cmd.exe	39
PID 1528 wrote to memory of 1512	1528	net.exe	40
PID 1528 wrote to memory of 1512	1528	net.exe	40
PID 1528 wrote to memory of 1512	1528	net.exe	40
PID 1528 wrote to memory of 1512	1528	net.exe	40
PID 320 wrote to memory of 1628	320	cmd.exe	42
PID 320 wrote to memory of 1628	320	cmd.exe	42
PID 320 wrote to memory of 1628	320	cmd.exe	42
PID 320 wrote to memory of 1628	320	cmd.exe	42
PID 1628 wrote to memory of 1468	1628	net.exe	41
PID 1628 wrote to memory of 1468	1628	net.exe	41
PID 1628 wrote to memory of 1468	1628	net.exe	41
PID 1628 wrote to memory of 1468	1628	net.exe	41
PID 320 wrote to memory of 1764	320	cmd.exe	44
PID 320 wrote to memory of 1764	320	cmd.exe	44
PID 320 wrote to memory of 1764	320	cmd.exe	44
PID 320 wrote to memory of 1764	320	cmd.exe	44
PID 1764 wrote to memory of 2020	1764	net.exe	43

C:\Users\Admin\AppData\Local\Temp\4015be0e49c809a29e861b509467854f.exe
"C:\Users\Admin\AppData\Local\Temp\4015be0e49c809a29e861b509467854f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\decomp.exe
  "C:\Windows\System32\decomp.exe" aosmtp.dll
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2640
- C:\Windows\SysWOW64\Debugger\Bridge.exe
  C:\Windows\System32\Debugger\Bridge.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Debugger\Script.exe
    C:\Windows\SysWOW64\Debugger\Script.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Windows\SysWOW64\Debugger\gizle.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\Debugger\kill_xp_firewall.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        7⤵
        
        PID:1512
      - C:\Windows\SysWOW64\net.exe
        
        net stop MpsSvc
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\net.exe
        
        net stop wscsvc
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:2116
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:2848
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:2052
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:2332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Security Center" /v FirewallOverride /t REG_DWORD /d 0x1 /f
        6⤵
        Windows security bypass
        
        PID:1816
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        
        PID:2028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        Modifies security service
        
        PID:1684
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        Modifies security service
        
        PID:844
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscntfy" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        
        PID:2284
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        Modifies security service
        
        PID:1956
- - C:\Windows\SysWOW64\Debugger\decomp.exe
    "C:\Windows\SysWOW64\Debugger\decomp.exe" /all
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2136
- - C:\Windows\SysWOW64\Debugger\Attr.exe
    "C:\Windows\SysWOW64\Debugger\Attr.exe" doit
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\aosmtp.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe
    "C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2120
- - C:\Windows\SysWOW64\Debugger\svchost.exe
    C:\Windows\SysWOW64\Debugger\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:828
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe C:\Windows\SysWOW64\Debugger\FirstUpdate.vbs
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:892
  - - C:\Windows\SysWOW64\Debugger\ScreenCapture.exe
      "C:\Windows\SysWOW64\Debugger\ScreenCapture.exe" 1
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
1⤵
PID:1468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39a585753ba8d806ae840fa7179c41e4

SHA1
ec15d4cb73ccfada5d802a5040075b890995ad9d

SHA256
d6a53a909b7d2a23c2394d7447e08f36d5e122da6e046ac639ae2ea129ac8c3f

SHA512
d5167ba914835319d0ce8c758578e2801d2793159bd73a6094059f3d2f2056f02416f53f862c0050cfcfb62708dc6584e85f5d6de7768b8fd0332c504ea237c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2b8597e2cdfaab593e301dd074650bdb

SHA1
2c17044d40752203bf04904a3847fca7a231102d

SHA256
bbad3c72e4bbaf1326508ecc1a38dc637906c0fd51c389728e9145052f0c8895

SHA512
cfdd1f115598c1fbec9e896f40e71d8d8661f04f51dbaf52d6214288a9a9236087450dbe6fb0897c25670c80820e73d2277ccd879e7f5c0461f4208495bafa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe

Filesize
705KB

MD5
456f098d986b032c48abb8f21bc9c63c

SHA1
230261163823fe2e2cbc74755696955711dd8756

SHA256
38010b1b4f7583d5bb043e1a2713e3386a5f13584907b185a523132fc6f5759f

SHA512
6073645541a91d38b0268f8a09922469938be7f11574e8620818dd5dc9a293a1c48393278f3ff6d57d62c1fb2e118be60f464e6a82681ae53909f437fbdb1a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fraps-VirtualDub_Full_Version!_www_wardom_org.exe

Filesize
76KB

MD5
3dde41042aac074c357a0c069abf7e8a

SHA1
fd8ca4dd97bee3176730fa916d8cd812b0e23aa8

SHA256
39b89d3916a05c57b34b31216da5769a5669b0160126fca443b9bb27eb95be47

SHA512
249d475aacf7ac1fed9bdc60f018a0734d4c65a4d7c473be42cd1d33b9d7f39013964d0035df353b5c266ef5c4d8a7bbb4ec0d6fbcca885b7f6fa7912f1b32c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3789.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\Debugger\Attr.exe

Filesize
47KB

MD5
2e794f47e668a0492578c5f368a0d9fd

SHA1
813144c0472b65d3d0be7915e41af5e82a0392f9

SHA256
81f83a00b4c6e97221ba1af6878044cffba8ab42ab126e717d6018287e473a6d

SHA512
084bfdc16d4c3b2aab6027f2b1cf24bbcc1b95afd2355001b03edd6358be925760aed0e90333f90cc99e494c570951688208b6c845475bfea155b711f5771b7e

Download Submit
C:\Windows\SysWOW64\Debugger\Extractor.exe

Filesize
52KB

MD5
0b1ce68e91c9ceb7226be8a25d4e0e10

SHA1
353bf215141f01c77256449fae49b124b62aabbe

SHA256
80cfb3787b9beca186ba717bbb25912d0d1b5acb1516bd5792e89400d47a02fc

SHA512
ba06d8ab35ea271575c2eef973a6fb45d3a9efe8b395343f444499e3280a7b21a028aa9926f78710215e368c9d49841a2bb85e59129b9f7ae522d4bf845dc80e

Download Submit
C:\Windows\SysWOW64\Debugger\ScreenCapture.exe

Filesize
41KB

MD5
9440e2efdb570345f40440a694eb14c7

SHA1
ed51b0f0d402f73ecd67dd526261a8c038c0b2f0

SHA256
2509c65be9b478e23540e65db8c46989e02a26534c5f7d727bdd5461d42bb90b

SHA512
874ef724143f8d4702a464ee99362da0cb3b492f7df75f42f531a325b3104fde3a13c28d0d613ff00495c2581e3de183d2d03f68096ff510ff6bff8793fd01a7

Download Submit
C:\Windows\SysWOW64\Debugger\config.dat

Filesize
466B

MD5
f3130450a126db253d485fa4d11aa3aa

SHA1
dd0d94f1230adac0e7ba5b72a2d6f8537ae85109

SHA256
d9b2a5e88e4720837091c78ed7800067a4f734381c9ad8725857646e4b2b259a

SHA512
2660e934be4db474d3da710a79c67e5875ad6abddceac438b0139bc011ccd28d71e18d0045e5caaa34f43c582ad5ffe2a35d86d158df21016e9d4c35bddffece

Download Submit
C:\Windows\SysWOW64\Debugger\gizle.vbs

Filesize
186B

MD5
409f6c9929ff65bff4e518ddf2aaae2d

SHA1
b9433a61a120a5c4ad9cdfdd7b7342934fda89f0

SHA256
82203d31b6b9f6c650ec1d9fcedc076cd373a5e451b995d3c6185586ca4b61c8

SHA512
a2c72727c5e2430d42dfcb3c982a221d837efb0014adf35aeb0c93edc7b8d03c11a20837809b2d36c8d2aa1e0faac8bec762b8cd5abc912c3152b14fc467b066

Download Submit
C:\Windows\SysWOW64\Debugger\kill_xp_firewall.bat

Filesize
1KB

MD5
8b84197072de5daed7e0b6d749752ff3

SHA1
1a09167829201ebeb1f2e19ba2e1176b9dd6579d

SHA256
bfff40cb8d72beedf40a5271c5406a21c9517fa5313854446e2015d505cca4d8

SHA512
4fd4410bfe5311a6721f7409a01c06eaea3401a28b948dfad0e7d4d39fa895e5d84281c736007113c5b4503eabc42f31ed1f360076c05ad6c305440e6d67f561

Download Submit
C:\Windows\SysWOW64\Debugger\svchost.exe

Filesize
25KB

MD5
b2fa45c6280eed45f9da48667216fa12

SHA1
b1f3d5f9fd5a50918f00798d97a3a415a481e07e

SHA256
bfb3abf7bf33bb3416570bd749d10e02e3853eef5ee8b24423465c408f3255d8

SHA512
757eb1e5f666900398e3b12c565f3ac58c7f71634d9930612d832ef251e1c766160ff218b4c74d803b23cbb3a2ba064ed799aa5a966449bd09c07ecdc93c1279

Download Submit
C:\Windows\SysWOW64\Debugger\temp.bind

Filesize
1024KB

MD5
b92153a5a9447ef9fac0368a8d0371e2

SHA1
684bce2dbe4ff8b965e9b6bfd323f48ed3ee1c00

SHA256
af3256c3d9d1a327362ed5ad60652635a9f356c2c5257ae23af6fc040da03556

SHA512
276ff5f2193a59b6c1362d8eacfb7bbed2f81628fc13617399fe9385b73007122fa65df4d6c86b2bf66e0f3c5de814578319a078b790304a2e325a80b2adc530

Download Submit
C:\Windows\SysWOW64\aosmtp.dll.mail

Filesize
127KB

MD5
d575cf885392f325c0b1ab4633528f99

SHA1
2ea3b7949b92137830c2fe6adca6ffc9872e7634

SHA256
326652b5ef8c9abfb21185a32ad274c8070cea2b51ae32950fdf9e045501b990

SHA512
a3b3483d740f61cbd061a56e14471ef693e3b739c1ef77dbae882c6f8969976a11f7207b819e6bb25deb736ff5fc26f3cc4cbb294fae2463e2fcfe2d336c74bd

Download Submit
C:\Windows\SysWOW64\decomp.exe

Filesize
11KB

MD5
cdc7c8e80873bce728ce0d260a7d7ab5

SHA1
5c53b22475f69ae84acbffb25bb9fd3a6fcca56d

SHA256
e8d8e908adc80411e9c9b9bfb27fb1c44de8550e34f7943ce70efb2f565dc5c6

SHA512
102a3cfa80637a44b8322244a67503100915c83d27727e1616d890ed2cfc3d1c4f1c7973e817acad810e0fcf4e4f6f7ea16a85a8441752258f2e73360e232542

Download Submit
\Windows\SysWOW64\Debugger\Bridge.exe

Filesize
357KB

MD5
072dea68a8b4fe7c23e6d656a551abfe

SHA1
cb1769b6ecf7396a1ca74bc8da3f6adcef3ae85c

SHA256
f772ee4f00799150d0b13dd4361a6ca394f8f2c063a0150b32f0929749075632

SHA512
80c51178e8fca3aa08397ef5fb7ca4e69bd40327a4f922b2a0574dab48d86ba11ce89fcd4d48336846b6a28fbadfaa76d868dfabe83b35086ec75feda5343323

Download Submit
\Windows\SysWOW64\Debugger\Script.exe

Filesize
32KB

MD5
127d5346c33df3bc7eec0e97779b4098

SHA1
3c000c9c18fbcaf1cb17072766c5cd91e2320137

SHA256
3bbeae8d3b3e1e51ccc0a2a2d763adccfc4b470af168c125191de2f52a5d35dc

SHA512
751112dd4e64ce2d561f7976af5b034c5df1725c5330b10f932559f69c8f6a7b806cd65d001d897b4f9fe29efa939fb3811819d7d79edf757520dd57945c077d

Download Submit
\Windows\SysWOW64\aosmtp.dll

Filesize
125KB

MD5
2a20be5ec0a58b3a17900f336fdfa200

SHA1
caa8aa4367ead62a0aacc75de25e05bf162311a9

SHA256
52b3af25756ce8db7113d25a54a16d41c854e15c8a892b1f230aa1b5724ce5f7

SHA512
6bc1bd033f5cca09237aa19de0de5ac829529b6d83571bdbd46f851365f34ea2287bd3c52eb48e4fc3db0f777336c549f72de74c7b0ae9a4613579401e91ae60

Download Submit
memory/1848-270-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2092-103-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2092-98-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2120-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-134-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2364-24-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/2364-42-0x0000000001E20000-0x0000000001E7F000-memory.dmp

Filesize
380KB

Download
memory/2364-45-0x0000000001E20000-0x0000000001E7F000-memory.dmp

Filesize
380KB

Download
memory/2592-84-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2592-113-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2592-97-0x0000000004AA0000-0x0000000004AC1000-memory.dmp

Filesize
132KB

Download
memory/2592-96-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2592-74-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2592-95-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/2592-94-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2592-93-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/2592-92-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2592-91-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/2592-90-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/2592-89-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2592-88-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2592-87-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2592-86-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2592-85-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2592-73-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2592-83-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2592-82-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/2592-81-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2592-80-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2592-79-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2592-72-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2592-78-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2592-77-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2592-76-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2592-105-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2592-71-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2592-70-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2592-111-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2592-112-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2592-75-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2592-116-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2592-115-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2592-117-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2592-108-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2592-118-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2592-119-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2592-120-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2592-121-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2592-122-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2592-124-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2592-67-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2592-69-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2592-65-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2592-59-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2592-63-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2592-49-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2592-44-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/2592-47-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2592-58-0x0000000003600000-0x0000000003605000-memory.dmp

Filesize
20KB

Download
memory/2592-50-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/2592-51-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2592-52-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2592-53-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2592-288-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2592-54-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2592-55-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2592-56-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2592-57-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2640-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2640-32-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2684-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads