Analysis Overview
SHA256
79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046
Threat Level: Known bad
The file 79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Phorphiex, Phorpiex
Windows security bypass
Phorphiex family
Phorphiex payload
Stops running service(s)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Windows security modification
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Launches sc.exe
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 03:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 03:07
Reported
2024-11-08 03:09
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\sysppvrdnvs.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\334213521.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\192966865.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\591630655.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1171221931.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2201215128.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1460213058.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B319.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1171221931.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" | C:\Users\Admin\AppData\Local\Temp\334213521.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\334213521.exe | N/A |
| File opened for modification | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\334213521.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysppvrdnvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1171221931.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\334213521.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\B319.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\192966865.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\192966865.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe"
C:\Users\Admin\AppData\Local\Temp\B319.exe
"C:\Users\Admin\AppData\Local\Temp\B319.exe"
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe" --channel=2568.0.1336417517 --type=renderer
C:\Users\Admin\AppData\Local\Temp\334213521.exe
C:\Users\Admin\AppData\Local\Temp\334213521.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
C:\Users\Admin\AppData\Local\Temp\192966865.exe
C:\Users\Admin\AppData\Local\Temp\192966865.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\591630655.exe
C:\Users\Admin\AppData\Local\Temp\591630655.exe
C:\Users\Admin\AppData\Local\Temp\1171221931.exe
C:\Users\Admin\AppData\Local\Temp\1171221931.exe
C:\Users\Admin\AppData\Local\Temp\2201215128.exe
C:\Users\Admin\AppData\Local\Temp\2201215128.exe
C:\Users\Admin\AppData\Local\Temp\1460213058.exe
C:\Users\Admin\AppData\Local\Temp\1460213058.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| RU | 176.209.68.160:40500 | udp | |
| IR | 37.255.202.28:40500 | tcp | |
| RU | 78.132.238.119:40500 | udp | |
| YE | 188.209.237.163:40500 | udp | |
| UZ | 89.249.62.94:40500 | udp | |
| US | 198.163.199.114:40500 | udp | |
| UZ | 94.230.235.109:40500 | udp | |
| IR | 78.38.107.167:40500 | tcp | |
| YE | 134.35.47.47:40500 | udp | |
| UZ | 213.230.120.54:40500 | udp | |
| IR | 5.237.178.173:40500 | udp | |
| UZ | 93.188.85.18:40500 | udp | |
| KZ | 37.151.170.86:40500 | udp | |
| UZ | 195.158.22.210:40500 | tcp | |
| RU | 95.188.243.246:40500 | udp | |
| KZ | 95.59.171.222:40500 | udp | |
| IR | 5.232.135.186:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| UZ | 217.30.162.37:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| UZ | 90.156.194.154:40500 | udp | |
| IR | 5.232.146.108:40500 | tcp | |
| UZ | 90.156.163.112:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 5.235.177.163:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| UZ | 86.62.3.134:40500 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\B319.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
memory/332-8-0x0000000000230000-0x0000000000232000-memory.dmp
\Users\Admin\AppData\Local\Temp\334213521.exe
| MD5 | 06560b5e92d704395bc6dae58bc7e794 |
| SHA1 | fbd3e4ae28620197d1f02bfc24adaf4ddacd2372 |
| SHA256 | 9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d |
| SHA512 | b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
\Users\Admin\AppData\Local\Temp\192966865.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/2096-115-0x000000013FE30000-0x000000013FE36000-memory.dmp
\Users\Admin\AppData\Local\Temp\591630655.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
\Users\Admin\AppData\Local\Temp\1171221931.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\2201215128.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
\Users\Admin\AppData\Local\Temp\1460213058.exe
| MD5 | c1c2524e6fc9dc3f492248f09cf37d32 |
| SHA1 | fabcb2a675dcb31070d763a2fabc90259921a20d |
| SHA256 | d7c3ed2599c214b4dbcdbb34d2f378cc5a99833cc051143338bf848cc87fda97 |
| SHA512 | ead31dbcd27538dcd734f7568441dc733ae472dbcc475308b69e90f13cc5b1fda5e13afab4241b18006e81b8e52ff9894685a4e8d2cf9161d2b77716119de89f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 03:07
Reported
2024-11-08 03:09
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\sysppvrdnvs.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\sysppvrdnvs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\194423644.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0EE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30222549.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194423644.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2866827829.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" | C:\Users\Admin\AppData\Local\Temp\30222549.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\30222549.exe | N/A |
| File opened for modification | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\30222549.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2866827829.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30222549.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\C0EE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysppvrdnvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194423644.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\194423644.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe"
C:\Users\Admin\AppData\Local\Temp\C0EE.exe
"C:\Users\Admin\AppData\Local\Temp\C0EE.exe"
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe" --channel=3944.0.866117654 --type=renderer
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 784
C:\Users\Admin\AppData\Local\Temp\30222549.exe
C:\Users\Admin\AppData\Local\Temp\30222549.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
C:\Users\Admin\AppData\Local\Temp\194423644.exe
C:\Users\Admin\AppData\Local\Temp\194423644.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\2866827829.exe
C:\Users\Admin\AppData\Local\Temp\2866827829.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| EG | 197.165.192.61:40500 | udp | |
| UZ | 213.206.44.17:40500 | tcp | |
| US | 8.8.8.8:53 | 61.192.165.197.in-addr.arpa | udp |
| IR | 46.100.182.167:40500 | udp | |
| US | 8.8.8.8:53 | 167.182.100.46.in-addr.arpa | udp |
| UZ | 90.156.162.27:40500 | udp | |
| US | 8.8.8.8:53 | 27.162.156.90.in-addr.arpa | udp |
| UZ | 90.156.163.121:40500 | udp | |
| US | 8.8.8.8:53 | 121.163.156.90.in-addr.arpa | udp |
| KR | 121.146.29.184:40500 | udp | |
| US | 8.8.8.8:53 | 184.29.146.121.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| IR | 5.75.95.114:40500 | udp | |
| IR | 78.39.145.121:40500 | tcp | |
| US | 8.8.8.8:53 | 114.95.75.5.in-addr.arpa | udp |
| PK | 203.99.175.167:40500 | udp | |
| US | 8.8.8.8:53 | 167.175.99.203.in-addr.arpa | udp |
| KZ | 92.46.228.246:40500 | udp | |
| US | 8.8.8.8:53 | 246.228.46.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| UZ | 185.203.237.228:40500 | udp | |
| US | 8.8.8.8:53 | 228.237.203.185.in-addr.arpa | udp |
| UZ | 213.230.97.242:40500 | udp | |
| US | 8.8.8.8:53 | 242.97.230.213.in-addr.arpa | udp |
| UZ | 93.188.85.18:40500 | udp | |
| US | 8.8.8.8:53 | 18.85.188.93.in-addr.arpa | udp |
| CN | 223.10.20.33:40500 | tcp | |
| UZ | 217.30.162.161:40500 | udp | |
| US | 8.8.8.8:53 | 161.162.30.217.in-addr.arpa | udp |
| IR | 2.184.189.189:40500 | udp | |
| US | 8.8.8.8:53 | 189.189.184.2.in-addr.arpa | udp |
| IR | 5.202.213.167:40500 | udp | |
| US | 8.8.8.8:53 | 167.213.202.5.in-addr.arpa | udp |
| RU | 78.36.17.105:40500 | udp | |
| US | 8.8.8.8:53 | 105.17.36.78.in-addr.arpa | udp |
| IR | 2.179.11.44:40500 | udp | |
| US | 8.8.8.8:53 | 44.11.179.2.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 5.234.215.19:40500 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| IR | 37.255.202.28:40500 | udp | |
| US | 8.8.8.8:53 | 28.202.255.37.in-addr.arpa | udp |
| IR | 5.235.173.196:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 196.173.235.5.in-addr.arpa | udp |
| KZ | 2.135.217.22:40500 | udp | |
| US | 8.8.8.8:53 | 22.217.135.2.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\C0EE.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\30222549.exe
| MD5 | 06560b5e92d704395bc6dae58bc7e794 |
| SHA1 | fbd3e4ae28620197d1f02bfc24adaf4ddacd2372 |
| SHA256 | 9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d |
| SHA512 | b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3 |
memory/948-27-0x0000000004990000-0x00000000049C6000-memory.dmp
memory/948-28-0x0000000005000000-0x0000000005628000-memory.dmp
memory/948-29-0x0000000004F40000-0x0000000004F62000-memory.dmp
memory/948-30-0x0000000005820000-0x0000000005886000-memory.dmp
memory/948-31-0x0000000005890000-0x00000000058F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvloevmk.eqm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/948-41-0x0000000005900000-0x0000000005C54000-memory.dmp
memory/948-42-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
memory/948-43-0x0000000005F30000-0x0000000005F7C000-memory.dmp
memory/948-44-0x00000000064B0000-0x00000000064E2000-memory.dmp
memory/948-45-0x0000000070140000-0x000000007018C000-memory.dmp
memory/948-55-0x0000000006500000-0x000000000651E000-memory.dmp
memory/948-56-0x00000000070E0000-0x0000000007183000-memory.dmp
memory/948-57-0x00000000078C0000-0x0000000007F3A000-memory.dmp
memory/948-58-0x0000000007240000-0x000000000725A000-memory.dmp
memory/948-59-0x0000000007290000-0x000000000729A000-memory.dmp
memory/948-60-0x00000000074A0000-0x0000000007536000-memory.dmp
memory/948-61-0x0000000007430000-0x0000000007441000-memory.dmp
memory/948-62-0x0000000007460000-0x000000000746E000-memory.dmp
memory/948-63-0x0000000007470000-0x0000000007484000-memory.dmp
memory/948-64-0x0000000007560000-0x000000000757A000-memory.dmp
memory/948-65-0x0000000007540000-0x0000000007548000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\194423644.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/4608-87-0x0000000000850000-0x0000000000856000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2866827829.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |