Malware Analysis Report

2024-11-30 19:32

Sample ID 240923-wv78pswdql
Target Protected.exe
SHA256 c94750f87bb70c03a496307e6a67aedc4d7c12a827c01dd10166a3d0ba4d8fc7
Tags
agilenet discovery defense_evasion execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c94750f87bb70c03a496307e6a67aedc4d7c12a827c01dd10166a3d0ba4d8fc7

Threat Level: Likely malicious

The file Protected.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet discovery defense_evasion execution persistence

Downloads MZ/PE file

Sets service image path in registry

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Runs net.exe

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies system certificate store

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-23 18:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-23 18:15

Reported

2024-09-23 18:18

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Protected.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Protected.exe

"C:\Users\Admin\AppData\Local\Temp\Protected.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp

Files

memory/2372-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/2372-1-0x0000000000C00000-0x0000000000FFC000-memory.dmp

memory/2372-2-0x0000000074CA0000-0x000000007538E000-memory.dmp

memory/2372-3-0x0000000006290000-0x000000000664A000-memory.dmp

memory/2372-4-0x0000000006650000-0x0000000006864000-memory.dmp

memory/2372-5-0x00000000071F0000-0x00000000073AA000-memory.dmp

memory/2372-6-0x0000000074CA0000-0x000000007538E000-memory.dmp

memory/2372-7-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/2372-8-0x0000000074CA0000-0x000000007538E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-23 18:15

Reported

2024-09-23 18:18

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Protected.exe"

Signatures

Downloads MZ/PE file

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dinxTKjgRXXvTNFzqJZIt\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dinxTKjgRXXvTNFzqJZIt" C:\Windows\windows32\Mapper.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\windows32\Mapper.exe N/A
N/A N/A C:\Windows\windows32\TPM.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windows32\Mapper.exe C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
File created C:\Windows\windows32\TPM.sys C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
File created C:\Windows\windows32\first.bat C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
File created C:\Windows\windows32\TPM.exe C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\windows32\TPM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\windows32\Mapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Protected.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\windows32\Mapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3880 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Protected.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\windows32\Mapper.exe
PID 3816 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\windows32\Mapper.exe
PID 3816 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\windows32\TPM.exe
PID 3816 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\windows32\TPM.exe
PID 3816 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\windows32\TPM.exe
PID 4416 wrote to memory of 5096 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 5096 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 5096 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1216 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1216 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1216 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4932 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4932 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4932 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4932 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4932 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4416 wrote to memory of 2292 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2292 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2292 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2032 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2032 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2032 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2052 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2052 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2052 N/A C:\Windows\windows32\TPM.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2052 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2052 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2052 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2052 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2052 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1936 wrote to memory of 5076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1936 wrote to memory of 5076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1936 wrote to memory of 5076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2052 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2052 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2052 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2052 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Protected.exe

"C:\Users\Admin\AppData\Local\Temp\Protected.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\windows32\first.bat" "

C:\Windows\windows32\Mapper.exe

Mapper.exe TPM.sys

C:\Windows\windows32\TPM.exe

TPM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp

C:\Windows\SysWOW64\attrib.exe

attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6141.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6141.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat "C:\Windows\windows32\TPM.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Welcome to ' -NoNewline; Write-Host 'MASKIFY / MIRAI SERVICES' -ForegroundColor Cyan"

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\timeout.exe

timeout /t 3 /nobreak

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Clear-Tpm"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Disable-TpmAutoProvisioning"

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\timeout.exe

timeout /t 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 store2.gofile.io udp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 239.123.112.45.in-addr.arpa udp

Files

memory/3880-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/3880-1-0x0000000000810000-0x0000000000C0C000-memory.dmp

memory/3880-2-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3880-3-0x0000000005A90000-0x0000000006034000-memory.dmp

memory/3880-4-0x00000000054E0000-0x0000000005572000-memory.dmp

memory/3880-5-0x00000000054C0000-0x00000000054CA000-memory.dmp

memory/3880-6-0x0000000006040000-0x00000000063FA000-memory.dmp

memory/3880-7-0x0000000007650000-0x0000000007864000-memory.dmp

memory/3880-8-0x0000000008870000-0x0000000008A2A000-memory.dmp

memory/3880-9-0x0000000009FE0000-0x000000000A046000-memory.dmp

memory/3880-10-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3880-11-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/3880-12-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3880-13-0x00000000013A0000-0x00000000013B2000-memory.dmp

memory/3880-15-0x000000000B1C0000-0x000000000B1FC000-memory.dmp

memory/3880-18-0x000000000B200000-0x000000000B2FA000-memory.dmp

memory/3880-19-0x000000000B3C0000-0x000000000B3F4000-memory.dmp

memory/3880-20-0x000000000B870000-0x000000000B902000-memory.dmp

memory/3880-21-0x000000000B910000-0x000000000B91A000-memory.dmp

memory/3880-22-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\serials.txt

MD5 7c26b38c596bf380c52afeaa5a5697f5
SHA1 8ccc5992b9b3aa2d3cb46bffca347cf3a75fd264
SHA256 607e92a1d0875fbe231bc5d9c8a5d3df466c18288466de35a1e8cea083b9481c
SHA512 87ebf005990d153d7f38ebc63ca9fddd40f3ac5f6a227896b55baef5df2789b97dfd01b380a0ba878544f0de765ff076d0e9a6b1ea1ac65eab4f04a261bdcad7

memory/3880-28-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Windows\windows32\first.bat

MD5 fc80bcba34c7b5c52ad16112bdcf02f1
SHA1 e6e75e60058cba6bb0b17b6dbabc00c2001383e3
SHA256 257adc7a94446e06205da6cb489400ad3c5475a5c2a621ae6dce1c74fcde7308
SHA512 df2612901f3ec6b335a3ad9ed765cd752488b95c066f399ffa9b6febe4dd94ef88a0d846af933758c49ae06d1d578fe6a8fd54998d764f098c12ba4fe99244d8

C:\Windows\windows32\Mapper.exe

MD5 284396aa4d663e010b4ecee9ddf90269
SHA1 1746d269a0c3f2fb2b75750a732c8339f0cfbfe9
SHA256 2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb
SHA512 bd9466f00e71b5787bddaf410b71b04af37a7ca60deff6550df344af8dcae5d3ad138e8371dabd3003e3f6e92b92ce457ffa1d83134bf3f68fb2bd090903f062

C:\Windows\windows32\TPM.exe

MD5 141f8f2f5ed209f266ea76ff007e5c48
SHA1 0e9ce868c3c374b9739fb8e76aad9929db232e2a
SHA256 a95488c430d9d8d9003dd789dfcb3464f9c6a35fba6867a4333295c7e5d079d2
SHA512 7bba64202d96c8a449f47e3030a75978b250fd0e0d1dd01f9d5a9d67526bdbbec3a36ba169808e3291f9c1e7bd89f352d3d33632ba959385f833bffe8eddc22e

C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat

MD5 d6ccd466a92b78feb9b09ec3325aad98
SHA1 7b9bd1e5e92f89a21309c5939549b19f9e457960
SHA256 8deeea9397a9fe75c58f589dde72f677274985ae1fcf0f37c6e1787ddc1ada3e
SHA512 02874936cff5eba51aac38543874770f1d2e55b2e93f934c368523e51bbedab37331fb25d83b6ad1d80fa9a732e02b4d9da0b63c472070675a8ea4031e89967a

memory/1848-47-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/1848-48-0x0000000005950000-0x0000000005F78000-memory.dmp

memory/1848-50-0x0000000006020000-0x0000000006086000-memory.dmp

memory/1848-49-0x0000000005F80000-0x0000000005FA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amd0pq1f.xn1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1848-60-0x0000000006330000-0x0000000006684000-memory.dmp

memory/1848-61-0x0000000006710000-0x000000000672E000-memory.dmp

memory/1848-62-0x0000000006750000-0x000000000679C000-memory.dmp

memory/1848-63-0x0000000007D90000-0x000000000840A000-memory.dmp

memory/1848-64-0x0000000006C30000-0x0000000006C4A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/4856-77-0x0000000005860000-0x0000000005BB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d913ae477dc018af41b7df122b2f7d7
SHA1 97fe2f10a20dc1584da328ab51aac3172ebf3cd3
SHA256 230d927dd2b7f7838577f53b5df07d650c24896b0e40a945e518ee3a0c6e0fe1
SHA512 a4bebfcc37abfefd335222810de3c37f94e33d855de920b75b632c61a888428e7bfd16c3be9c7b08abbf5fcfd62c7e1893d7b33680395fda1e3f7c6b9b710fe9

memory/4856-79-0x0000000006E50000-0x0000000006E82000-memory.dmp

memory/4856-80-0x000000006EC90000-0x000000006ECDC000-memory.dmp

memory/4856-90-0x0000000006E90000-0x0000000006EAE000-memory.dmp

memory/4856-91-0x0000000007170000-0x0000000007213000-memory.dmp

memory/4856-92-0x0000000007280000-0x000000000728A000-memory.dmp

memory/4856-93-0x0000000007470000-0x0000000007506000-memory.dmp

memory/4856-94-0x0000000005D00000-0x0000000005D11000-memory.dmp

memory/4856-95-0x0000000005D40000-0x0000000005D4E000-memory.dmp

memory/4856-96-0x00000000073D0000-0x00000000073E4000-memory.dmp

memory/4856-97-0x0000000007410000-0x0000000007420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6cf4fd7d69d1c036fbf6205012928762
SHA1 b431013ef845ffaff22f572b0a2aac999efa0dbb
SHA256 1c7b686bb0c36b6a04ad5a2548831de9747914222a5f1d90abeccbd2afcd1c26
SHA512 257cf7ea8a73a6e5355d841f8e301c63797a6256423c9fa46973c2b032ae3055708adcc94d52bd38fcfacc33d50fa16f3377a58cb2b7451d10288170aa224e73

memory/1764-109-0x000000006EC90000-0x000000006ECDC000-memory.dmp