7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
Size

1.7MB
MD5

58a108887f3b8a883ad972f625256851
SHA1

e766b827f09a0afa881cbe1b6484710ce33f2bf0
SHA256

7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d
SHA512

4c08d788a287816e86d838dd8ee3bca4c4310d7ed340b9c8e0209f3cfc11fa0c36325058101265527218c16fbe3a3032392df74e530bd6fd84dc7e759b4d6af3
SSDEEP

24576:89SQXgnU56Gt4ULYVI8RGwvrK7/ckFLI78cPR:ssnxUU

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\vb6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\Ieupdate.exe = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe:*:Enabled:Windows Messanger"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	Ieupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}	Ieupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}	Ieupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe

Executes dropped EXE 3 IoCs

pid	Process
4944	Ieupdate.exe
3424	Ieupdate.exe
1188	Ieupdate.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-0-0x0000000000400000-0x00000000005A9000-memory.dmp	upx
behavioral2/files/0x00060000000226c6-40.dat	upx
behavioral2/memory/1396-52-0x0000000000400000-0x00000000005A9000-memory.dmp	upx
behavioral2/memory/4944-55-0x0000000000400000-0x00000000005A9000-memory.dmp	upx
behavioral2/memory/3424-56-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-60-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/1188-65-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/1188-63-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/1188-61-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3424-58-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4944-70-0x0000000000400000-0x00000000005A9000-memory.dmp	upx
behavioral2/memory/3424-75-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/1188-78-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3424-79-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-82-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-86-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-90-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-94-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-98-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-102-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-106-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-110-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-114-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3424-118-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ieupdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 3424	4944	Ieupdate.exe	109
PID 4944 set thread context of 1188	4944	Ieupdate.exe	110

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	Ieupdate.exe
File created	C:\Program Files (x86)\Internet Explorer\Ieupdate.txt	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.txt	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
File created	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	Ieupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4800	reg.exe
4020	reg.exe
4640	reg.exe
3384	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	Ieupdate.exe
Token: 1	3424	Ieupdate.exe
Token: SeCreateTokenPrivilege	3424	Ieupdate.exe
Token: SeAssignPrimaryTokenPrivilege	3424	Ieupdate.exe
Token: SeLockMemoryPrivilege	3424	Ieupdate.exe
Token: SeIncreaseQuotaPrivilege	3424	Ieupdate.exe
Token: SeMachineAccountPrivilege	3424	Ieupdate.exe
Token: SeTcbPrivilege	3424	Ieupdate.exe
Token: SeSecurityPrivilege	3424	Ieupdate.exe
Token: SeTakeOwnershipPrivilege	3424	Ieupdate.exe
Token: SeLoadDriverPrivilege	3424	Ieupdate.exe
Token: SeSystemProfilePrivilege	3424	Ieupdate.exe
Token: SeSystemtimePrivilege	3424	Ieupdate.exe
Token: SeProfSingleProcessPrivilege	3424	Ieupdate.exe
Token: SeIncBasePriorityPrivilege	3424	Ieupdate.exe
Token: SeCreatePagefilePrivilege	3424	Ieupdate.exe
Token: SeCreatePermanentPrivilege	3424	Ieupdate.exe
Token: SeBackupPrivilege	3424	Ieupdate.exe
Token: SeRestorePrivilege	3424	Ieupdate.exe
Token: SeShutdownPrivilege	3424	Ieupdate.exe
Token: SeDebugPrivilege	3424	Ieupdate.exe
Token: SeAuditPrivilege	3424	Ieupdate.exe
Token: SeSystemEnvironmentPrivilege	3424	Ieupdate.exe
Token: SeChangeNotifyPrivilege	3424	Ieupdate.exe
Token: SeRemoteShutdownPrivilege	3424	Ieupdate.exe
Token: SeUndockPrivilege	3424	Ieupdate.exe
Token: SeSyncAgentPrivilege	3424	Ieupdate.exe
Token: SeEnableDelegationPrivilege	3424	Ieupdate.exe
Token: SeManageVolumePrivilege	3424	Ieupdate.exe
Token: SeImpersonatePrivilege	3424	Ieupdate.exe
Token: SeCreateGlobalPrivilege	3424	Ieupdate.exe
Token: 31	3424	Ieupdate.exe
Token: 32	3424	Ieupdate.exe
Token: 33	3424	Ieupdate.exe
Token: 34	3424	Ieupdate.exe
Token: 35	3424	Ieupdate.exe
Token: SeDebugPrivilege	3424	Ieupdate.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
4944	Ieupdate.exe
4944	Ieupdate.exe
3424	Ieupdate.exe
1188	Ieupdate.exe
1188	Ieupdate.exe
3424	Ieupdate.exe
3424	Ieupdate.exe
3424	Ieupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3708	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	91
PID 1396 wrote to memory of 3708	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	91
PID 1396 wrote to memory of 3708	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	91
PID 3708 wrote to memory of 3292	3708	cmd.exe	95
PID 3708 wrote to memory of 3292	3708	cmd.exe	95
PID 3708 wrote to memory of 3292	3708	cmd.exe	95
PID 3708 wrote to memory of 2636	3708	cmd.exe	96
PID 3708 wrote to memory of 2636	3708	cmd.exe	96
PID 3708 wrote to memory of 2636	3708	cmd.exe	96
PID 1396 wrote to memory of 2948	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	99
PID 1396 wrote to memory of 2948	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	99
PID 1396 wrote to memory of 2948	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	99
PID 2948 wrote to memory of 2216	2948	cmd.exe	101
PID 2948 wrote to memory of 2216	2948	cmd.exe	101
PID 2948 wrote to memory of 2216	2948	cmd.exe	101
PID 1396 wrote to memory of 4744	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	102
PID 1396 wrote to memory of 4744	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	102
PID 1396 wrote to memory of 4744	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	102
PID 4744 wrote to memory of 1644	4744	cmd.exe	104
PID 4744 wrote to memory of 1644	4744	cmd.exe	104
PID 4744 wrote to memory of 1644	4744	cmd.exe	104
PID 1396 wrote to memory of 2524	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	105
PID 1396 wrote to memory of 2524	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	105
PID 1396 wrote to memory of 2524	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	105
PID 2524 wrote to memory of 1624	2524	cmd.exe	107
PID 2524 wrote to memory of 1624	2524	cmd.exe	107
PID 2524 wrote to memory of 1624	2524	cmd.exe	107
PID 1396 wrote to memory of 4944	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	108
PID 1396 wrote to memory of 4944	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	108
PID 1396 wrote to memory of 4944	1396	7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe	108
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 3424	4944	Ieupdate.exe	109
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 4944 wrote to memory of 1188	4944	Ieupdate.exe	110
PID 3424 wrote to memory of 4368	3424	Ieupdate.exe	112
PID 3424 wrote to memory of 4368	3424	Ieupdate.exe	112
PID 3424 wrote to memory of 4368	3424	Ieupdate.exe	112
PID 3424 wrote to memory of 1584	3424	Ieupdate.exe	113
PID 3424 wrote to memory of 1584	3424	Ieupdate.exe	113
PID 3424 wrote to memory of 1584	3424	Ieupdate.exe	113
PID 3424 wrote to memory of 3412	3424	Ieupdate.exe	114
PID 3424 wrote to memory of 3412	3424	Ieupdate.exe	114
PID 3424 wrote to memory of 3412	3424	Ieupdate.exe	114
PID 3424 wrote to memory of 3744	3424	Ieupdate.exe	115
PID 3424 wrote to memory of 3744	3424	Ieupdate.exe	115
PID 3424 wrote to memory of 3744	3424	Ieupdate.exe	115
PID 3412 wrote to memory of 4800	3412	cmd.exe	121
PID 3412 wrote to memory of 4800	3412	cmd.exe	121
PID 3412 wrote to memory of 4800	3412	cmd.exe	121
PID 4368 wrote to memory of 4020	4368	cmd.exe	120
PID 4368 wrote to memory of 4020	4368	cmd.exe	120
PID 4368 wrote to memory of 4020	4368	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
"C:\Users\Admin\AppData\Local\Temp\7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3292
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyKhZ.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eXVQA.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EpSnr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:1624
- C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
  "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
    "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3744
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4640
- - C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
    "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\Ieupdate.txt

Filesize
1.7MB

MD5
db76dd6adf5e489bc6a57dd20e7fccc4

SHA1
1cb4be9763f05f600ab3f7028059f92030b1c9de

SHA256
6f78d93eb11b4525dcfed260aa90f1e59828e8fa769e17237a07da25305506b6

SHA512
a3bb2eb2372a8a3283b94c873200fcbf6e364b1e68d0a8011d80ce0d1e89d3d5978437c8547e886301801b5505408a9be131ad4856836aa2300fd01e249d91f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyKhZ.bat

Filesize
148B

MD5
5d73853d695283e13b412c88ec62984c

SHA1
672379399a80a746a8f0d8043bbf98956101d0ca

SHA256
59884297b763a498c1f55e4ba57f04597ab37677feb9b686839e7553942cf335

SHA512
9043d02ec14cc4869cc8c01562838c11448e2bff42af32ec0a60de76fa8915c3a3a50529ce567c6cb93d2691525b38862257993674c263ed25f6625e370cb2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpSnr.bat

Filesize
181B

MD5
09d67635a7674b12183c3f0668ce0cd1

SHA1
c3fe2225cc5198a1c33df0342a95528c2e657a6d

SHA256
972e896e8649a5d2caf286a0d75db99909587b1d2f4683870207b547c3bc02d9

SHA512
b37bdad4fb0e9ab947ea5750337de073907d31156d0d00a1a79392741ced2d1aabf1cc2d92581d7f068266f82cd5b2c10fd7e5c573044e6ce77dea6da6dde321

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNYVYK.txt

Filesize
274B

MD5
9fcec2a4ee61953e0d4867261a39ea32

SHA1
d552acf26d9fcc31a9da82ecce503b16a11e9d2a

SHA256
24c5da914d1f429c07ef17dfb7d4d0c90eb060e5a9bd009963fba83b1dd6cae3

SHA512
57d8a88138645780357a88658f21f833efa0ba657dd1fefa6458ba930731e1949216b518f26ab995241837bc7e6eff90b46e5cb5ec34364d2f89db09779e5564

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXVQA.bat

Filesize
148B

MD5
3d470539cbafa762cdb72a4635ad553d

SHA1
4bda3e7de91052dc7d073d8b278ad09ad0d10fa6

SHA256
9f0571e3567d7e1849c7bd5dd7b7a2be942ec44aea6c8bb32d415874b7282691

SHA512
42b168fabd5ddd175ccd143d4f9338880aad03eb22d07fb8a2e13f387015b9eb1d23307bff3ae370c95a5644c88c5e9f7c8b12b332b595c79be069ffc92a448e

Download Submit
memory/1188-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1188-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1188-78-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1188-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1396-52-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/1396-0-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/3424-102-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-82-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-118-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-75-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-60-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-79-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-114-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-86-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-90-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-94-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-98-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-106-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3424-110-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4944-55-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/4944-70-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads