Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
QISFJPGM_ARBIF.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QISFJPGM_ARBIF.scr
Resource
win10v2004-20241007-en
General
-
Target
QISFJPGM_ARBIF.scr
-
Size
2.7MB
-
MD5
297d2bd9dd5c1564226782d263fa3818
-
SHA1
619df94b29f9515d793a8e649f7c190f310cb3d7
-
SHA256
6a6c4d018027348d7269631f8b40eb5462fd3ad61efdb7337a32ba5dbc82f11c
-
SHA512
36f2406e0f1deec208dc31a8b21755523eb786865ec9e7ddc03505dd4e54adbbd7d26e460ad292f41f0d74bfbb68777b616c201edf0581eecd1c73b783f9023a
-
SSDEEP
49152:bXz+x0ii0ZyT4BpIlFEFG93v4cVvn0o280hOHFSDkCZx/Nf8r+qBk/q8RZQNk2q9:bXz+OAmys/4cV8o28QOlSDkCD/s+i2jd
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exeupdate_mur.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update_mur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate update_mur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
QISFJPGM_ARBIF.scrdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation QISFJPGM_ARBIF.scr -
Drops startup file 1 IoCs
Processes:
QISFJPGM_ARBIF.scrdescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\íå ðàññòðàèâàéñÿ.txt QISFJPGM_ARBIF.scr -
Executes dropped EXE 4 IoCs
Processes:
svchost.exeupdate_mur.exesvchost.exeupdate_mur.exepid Process 4696 svchost.exe 5060 update_mur.exe 2148 svchost.exe 1148 update_mur.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Local\\winrar.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 43 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification \??\c:\Windows\SysWOW64\fr-FR\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\uk-UA\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\uk-UA\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc svchost.exe File opened for modification \??\c:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\lpeula.rtf svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\ttt.jpg" svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exeupdate_mur.exedescription ioc Process File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\8.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Welcome_Slide01.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialRotation.mp4 svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Bark.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg svchost.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\javafx-src.zip svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\FlatFreehand3D.mp4 svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\34.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_03.jpg svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\LTR.jpg svchost.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4 svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Wood.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\fr_1c8f429d30f12575\OOBE_HELP_Cortana_Learn_More.rtf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\5.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_01.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MissingAlbumArt.jpg svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\es_b4637444f479d524\OOBE_HELP_Opt_in_Details.rtf svchost.exe File opened for modification \??\c:\Program Files\ResolveWait.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\DC.pdf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\12.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sand.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir- svchost.exe File created C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports\NO_PWDS_report_29-10-2024_23-25-25-A3C533590EF2311EE9B53A58957F0C8A-FDHO.bin update_mur.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\31.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\Services.pdf svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\Paper.pdf svchost.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Pair.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page1.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\no_camera_dialog_image01.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg svchost.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports\NO_PWDS_report_29-10-2024_23-25-25-A3C533590EF2311EE9B53A58957F0C8A-FDHO.bin update_mur.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Error.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old- svchost.exe File created C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\mmm.bat svchost.exe File opened for modification \??\c:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\3.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_05.jpg svchost.exe -
Drops file in Windows directory 64 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg svchost.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_2160x3840.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_54fc031bd6317175\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img13.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_eb9e22c1d4df2ac9\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_b39472f9da00dbd0\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.1_none_c1f5bc6ceffe0e16\WelcomeScan.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_en-us_e6227f969ce058cc\vofflps.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_1416079c8abdf6d1\f\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_en-us_4df75bd69cec0d2d\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.264_none_ebf48bd219ef8b65\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_120.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_en-us_7a0c6fba3df81d6e svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\security_watermark.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg svchost.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_1366x768.jpg svchost.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme2\img7.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_es-es_0cef4537345a980a\privacy.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_fr- svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_09885a3ff45a5da9\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\r\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_de-de_01252161666b729e\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\f\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_de- svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_768x1024.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img2.jpg svchost.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_1024x768.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_en-us_0d23e8533433a665\privacy.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_09885a3ff45a5da9\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_it-it_3f23f962ad6356f3\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e149786fa07e68ce\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_68eabd5c6b1d4e11\r\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e6d709a245b459a8\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_b39472f9da00dbd0\r\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\f\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_1600x2560.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_7636dd425605d882\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_en-us_b7621740403208d4\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9ba578f9af85bdf4\license.rtf svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_88a552798fd960d3\vofflps.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_48.jpg svchost.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_3840x2160.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_e1ec0ac43f1514a8\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_120.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_b7f76c18d260859b\f\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7cc7a40d5a320c8d\license.rtf svchost.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme2\img8.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_1416079c8abdf6d1\r\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\security_watermark.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.1_es- svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5eddc7a9d074a71\vofflps.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_it-it_3f23f962ad6356f3\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\f\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg svchost.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_1600x2560.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\r\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_bccdda8b17992b69\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\r\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img3.jpg svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
update_mur.execmd.exeQISFJPGM_ARBIF.scrsvchost.exesvchost.exeupdate_mur.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update_mur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QISFJPGM_ARBIF.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update_mur.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
update_mur.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 update_mur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString update_mur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier update_mur.exe -
Modifies Control Panel 3 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop svchost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\TileWallpaper = "0" svchost.exe -
Modifies registry class 31 IoCs
Processes:
svchost.exeupdate_mur.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\ = "LegacyTraceSession" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\InprocServer32 svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\InprocServer32\ThreadingModel = "both" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\InprocServer32\ThreadingModel = "both" update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\AppID = "{03837503-098b-11d8-9414-505054503030}" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\LocalServer32 svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\Version svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\TypeLib update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\ProgID\ = "PLA.LegacyTraceSession.1" update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\ProgID svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\TypeLib svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\VersionIndependentProgID\ = "PLA.LegacyTraceSession" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\ = "LegacyTraceSession" update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\LocalServer32 update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\ProgID update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\Version update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\ProgID\ = "PLA.LegacyTraceSession.1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\AppID = "{03837503-098b-11d8-9414-505054503030}" update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\InprocServer32 update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\VersionIndependentProgID\ = "PLA.LegacyTraceSession" update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\Version\ = "1.0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\VersionIndependentProgID svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\Version\ = "1.0" update_mur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\VersionIndependentProgID update_mur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A66374-D0A6-6374-D0A6-6374D0A66374}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
update_mur.exepid Process 1148 update_mur.exe 1148 update_mur.exe 1148 update_mur.exe 1148 update_mur.exe 1148 update_mur.exe 1148 update_mur.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
update_mur.exesvchost.exedescription pid Process Token: 33 1148 update_mur.exe Token: SeIncBasePriorityPrivilege 1148 update_mur.exe Token: 33 1148 update_mur.exe Token: SeIncBasePriorityPrivilege 1148 update_mur.exe Token: 33 2148 svchost.exe Token: SeIncBasePriorityPrivilege 2148 svchost.exe Token: 33 2148 svchost.exe Token: SeIncBasePriorityPrivilege 2148 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
QISFJPGM_ARBIF.scrsvchost.exeupdate_mur.exedescription pid Process procid_target PID 3984 wrote to memory of 4696 3984 QISFJPGM_ARBIF.scr 85 PID 3984 wrote to memory of 4696 3984 QISFJPGM_ARBIF.scr 85 PID 3984 wrote to memory of 4696 3984 QISFJPGM_ARBIF.scr 85 PID 3984 wrote to memory of 5060 3984 QISFJPGM_ARBIF.scr 87 PID 3984 wrote to memory of 5060 3984 QISFJPGM_ARBIF.scr 87 PID 3984 wrote to memory of 5060 3984 QISFJPGM_ARBIF.scr 87 PID 4696 wrote to memory of 2148 4696 svchost.exe 88 PID 4696 wrote to memory of 2148 4696 svchost.exe 88 PID 4696 wrote to memory of 2148 4696 svchost.exe 88 PID 4696 wrote to memory of 2148 4696 svchost.exe 88 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 4696 wrote to memory of 2148 4696 svchost.exe 88 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89 PID 5060 wrote to memory of 1148 5060 update_mur.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\QISFJPGM_ARBIF.scr"C:\Users\Admin\AppData\Local\Temp\QISFJPGM_ARBIF.scr" /S1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mmm.bat4⤵
- System Location Discovery: System Language Discovery
PID:4312
-
-
-
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5bf55292f19b02c6dd1934f2ea2c6ae9d
SHA10dc0e99b63b557bd0eef88422a98bdd944bc0d86
SHA2560a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e
SHA512e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500
-
Filesize
3.6MB
MD5ec02d8bc24e6f37321a5b013e4f70faf
SHA13c5ef89563cb851d116bff6e123a2399c2ba200b
SHA2569b4fff7c8f19f382b96711491cedc96a08c22264fb63edd740f8c841e375f04b
SHA512998625680851251f106ec5e5ce227f8ef78c753933c13417b4762f7d7987cfe1097b5ea160b3b7d76da0e7e5dd232f5916e96dcbae1103cf0ba31101a57a140b
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports\NO_PWDS_report_29-10-2024_23-25-25-A3C533590EF2311EE9B53A58957F0C8A-FDHO.bin
Filesize1KB
MD5804bd143f1f47ede1f53d16779406f0c
SHA184de17a0e15e920b6f61fc71c5a82e4b41ebc121
SHA256933cc90f72fb2ab555ffcdec4c074190a3400038e3b84daf67922af16935a8e2
SHA5120a991bce08befb6ce8f969b500746f5055288dcc7c497c06d1f2be4f6e13da02ce8e12fb63183440c69e4e8ce5774740a79d6add28848c41c5599cf8195e9914
-
Filesize
2.9MB
MD5f67e28cded725e67d055ecb7e4bbc620
SHA12295f98d3bc38b4a0d89dabf240d30d8a4bc07ba
SHA256627fdbd3d19ae2a7b3900d455d7619f6787762e76dc5f8028c9aac5ea4a7a3f7
SHA51260c0afb69036bcd56d6b1df52e808a1017841651d668e6d301c1ef9f0f0cf9856c981a4d41b1ad137b2b6679c8d274973b77a0fa287ffe996467659880c849d1
-
Filesize
4B
MD5c2f09542b6c7daf4288f3524c8cebb18
SHA19430b21baf07f0d105b9ee5fdd9f868418454517
SHA25655d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4
SHA512dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672
-
Filesize
53KB
MD518aa8c33f1709dfd63483d2f72c571c2
SHA13026b5a43b805bdeadf88f191dbedd459037395e
SHA256bb31365adc675a4b89f20af3e71a9f987e292b71f428ab1e01a0405e3fa8ec01
SHA5120ceab961862a70fe21b8d42d9ab922156117226424db5ed8c73c939fe0930aa46d745098d119f72c3e98434abea407c2381a2b3bb1147e7b776d2b9824ea5bd8
-
Filesize
52KB
MD5a05a2738ea9c40a47a1b143e07a2e1e2
SHA10fd67aa8da9dc53b59c727bc4e871f56556c77b6
SHA256cc37164df4b514a1b7c2b397cd865cf98fe5473c97ed5fb794ae8e5642b7f9cb
SHA512f387cd663d8784d044002fa217e570c56771791cc1424d6afaf3a166c3e57832b87787e48f6ea5623f455611c759443dd21654c067722452caaed64eb1c5316e