Resubmissions
28-12-2022 20:37
221228-zea5taef5v 1013-07-2021 12:27
210713-cvc55ag4yn 1025-02-2021 06:56
210225-dwftz9jkjn 1004-11-2019 11:15
191104-athqk1tjxn 10Analysis
-
max time kernel
138s -
max time network
149s -
resource
win10v191014 -
submitted
04-11-2019 11:15
Task
task1
Sample
update2.exe
Resource
win7v191014
0 signatures
General
-
Target
update2.exe
-
Size
746KB
-
MD5
0bfb4a1efbb20a7291fcc022dec7d58b
-
SHA1
faec2a0afe296224f980ac059cf63f18eba800ce
-
SHA256
73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
-
SHA512
eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425
Malware Config
Extracted
Family
qakbot
Campaign
1572863946
Credentials
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
C2
112.171.126.153:443
67.200.146.98:2222
174.16.234.171:993
71.30.56.170:443
71.77.231.251:443
72.213.98.233:443
2.50.170.151:443
184.180.157.203:2222
96.35.170.82:2222
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
173.22.120.11:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
104.34.122.18:443
65.30.12.240:443
24.201.68.105:2087
32.208.1.239:443
168.245.228.71:443
47.153.115.154:995
24.201.68.105:2078
23.240.185.215:443
72.47.115.182:443
187.163.139.200:993
75.81.25.223:995
5.182.39.156:443
75.130.117.134:443
73.145.189.17:443
181.47.60.21:995
72.29.181.77:2083
81.147.42.195:2222
68.238.56.27:443
116.72.208.166:2222
78.94.55.26:50003
50.246.229.50:443
98.186.90.192:995
185.219.83.73:443
108.45.183.59:443
66.214.75.176:443
67.10.18.112:993
184.74.101.234:995
107.12.140.181:443
172.78.45.13:995
50.78.93.74:995
67.246.16.250:995
47.148.143.146:443
67.5.33.229:2078
47.23.101.26:993
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
65.16.241.150:443
190.120.196.18:443
182.56.27.125:995
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
196.194.76.68:2222
76.116.128.81:443
105.246.75.20:995
197.89.140.129:995
62.0.67.88:995
190.217.1.149:443
188.52.115.139:443
47.180.66.10:443
107.12.131.249:443
75.142.59.167:443
181.94.163.26:443
98.186.155.8:443
61.98.155.61:443
47.202.98.230:443
2.50.41.185:443
217.162.149.212:443
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.227.161.27:443
47.146.169.85:443
181.126.80.118:443
12.5.37.3:443
162.244.225.30:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
104.235.94.7:443
106.51.0.228:443
123.252.128.47:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
76.80.66.226:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
75.70.218.193:443
12.176.32.146:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
72.16.212.107:995
200.104.249.67:443
207.179.194.91:443
75.110.250.89:443
108.160.123.244:443
50.247.230.33:443
47.214.144.253:443
99.228.242.183:995
72.142.106.198:465
73.226.220.56:443
45.37.57.119:2222
67.214.201.117:2222
173.247.186.90:443
98.148.177.77:443
111.125.70.30:2222
80.14.209.42:2222
2.177.101.143:443
67.160.63.127:443
70.185.229.3:443
184.191.62.78:443
47.155.19.205:443
88.111.255.235:2222
75.110.219.10:443
76.169.19.193:443
116.58.100.130:443
173.91.254.236:443
72.132.145.25:443
73.137.187.150:443
24.180.7.155:443
75.165.132.69:443
71.197.126.250:443
75.165.162.33:443
65.189.49.227:443
100.38.164.182:443
36.236.235.213:443
76.174.122.204:443
70.180.100.156:443
75.174.33.205:443
174.82.131.155:995
200.104.40.85:443
172.116.85.178:443
75.182.115.93:443
24.42.250.18:443
179.36.62.217:443
Signatures
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
update2.exeupdate2.exeijsethyt.exeijsethyt.exeexplorer.exeupdate2.exeijsethyt.exeijsethyt.exepid process 4916 update2.exe 4916 update2.exe 4976 update2.exe 4976 update2.exe 4976 update2.exe 4976 update2.exe 364 ijsethyt.exe 364 ijsethyt.exe 3060 ijsethyt.exe 3060 ijsethyt.exe 3060 ijsethyt.exe 3060 ijsethyt.exe 3052 explorer.exe 3052 explorer.exe 3052 explorer.exe 3052 explorer.exe 4520 update2.exe 4520 update2.exe 2052 ijsethyt.exe 2052 ijsethyt.exe 4152 ijsethyt.exe 4152 ijsethyt.exe 4152 ijsethyt.exe 4152 ijsethyt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ijsethyt.exepid process 364 ijsethyt.exe -
Processes:
reg.exesvchost.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" svchost.exe -
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 9 IoCs
Processes:
update2.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" update2.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" update2.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\15\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ update2.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" update2.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" update2.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ijsethyt.exeijsethyt.exeupdate2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service update2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 update2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 update2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc update2.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch2 svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\BITS Writer svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch svchost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
update2.exeSppExtComObj.exeijsethyt.exeupdate2.exeijsethyt.exedescription pid process target process PID 4916 wrote to memory of 4976 4916 update2.exe update2.exe PID 4916 wrote to memory of 4976 4916 update2.exe update2.exe PID 4916 wrote to memory of 4976 4916 update2.exe update2.exe PID 5020 wrote to memory of 5048 5020 SppExtComObj.exe SLUI.exe PID 5020 wrote to memory of 5048 5020 SppExtComObj.exe SLUI.exe PID 4916 wrote to memory of 364 4916 update2.exe ijsethyt.exe PID 4916 wrote to memory of 364 4916 update2.exe ijsethyt.exe PID 4916 wrote to memory of 364 4916 update2.exe ijsethyt.exe PID 4916 wrote to memory of 1016 4916 update2.exe schtasks.exe PID 4916 wrote to memory of 1016 4916 update2.exe schtasks.exe PID 4916 wrote to memory of 1016 4916 update2.exe schtasks.exe PID 364 wrote to memory of 3060 364 ijsethyt.exe ijsethyt.exe PID 364 wrote to memory of 3060 364 ijsethyt.exe ijsethyt.exe PID 364 wrote to memory of 3060 364 ijsethyt.exe ijsethyt.exe PID 364 wrote to memory of 3052 364 ijsethyt.exe explorer.exe PID 364 wrote to memory of 3052 364 ijsethyt.exe explorer.exe PID 364 wrote to memory of 3052 364 ijsethyt.exe explorer.exe PID 364 wrote to memory of 3052 364 ijsethyt.exe explorer.exe PID 4520 wrote to memory of 3840 4520 update2.exe reg.exe PID 4520 wrote to memory of 3840 4520 update2.exe reg.exe PID 4520 wrote to memory of 4284 4520 update2.exe reg.exe PID 4520 wrote to memory of 4284 4520 update2.exe reg.exe PID 4520 wrote to memory of 4264 4520 update2.exe reg.exe PID 4520 wrote to memory of 4264 4520 update2.exe reg.exe PID 4520 wrote to memory of 4628 4520 update2.exe reg.exe PID 4520 wrote to memory of 4628 4520 update2.exe reg.exe PID 4520 wrote to memory of 4584 4520 update2.exe reg.exe PID 4520 wrote to memory of 4584 4520 update2.exe reg.exe PID 4520 wrote to memory of 4684 4520 update2.exe reg.exe PID 4520 wrote to memory of 4684 4520 update2.exe reg.exe PID 4520 wrote to memory of 4700 4520 update2.exe reg.exe PID 4520 wrote to memory of 4700 4520 update2.exe reg.exe PID 4520 wrote to memory of 4360 4520 update2.exe reg.exe PID 4520 wrote to memory of 4360 4520 update2.exe reg.exe PID 4520 wrote to memory of 3700 4520 update2.exe reg.exe PID 4520 wrote to memory of 3700 4520 update2.exe reg.exe PID 4520 wrote to memory of 2052 4520 update2.exe ijsethyt.exe PID 4520 wrote to memory of 2052 4520 update2.exe ijsethyt.exe PID 4520 wrote to memory of 2052 4520 update2.exe ijsethyt.exe PID 4520 wrote to memory of 4244 4520 update2.exe cmd.exe PID 4520 wrote to memory of 4244 4520 update2.exe cmd.exe PID 4520 wrote to memory of 4188 4520 update2.exe schtasks.exe PID 4520 wrote to memory of 4188 4520 update2.exe schtasks.exe PID 2052 wrote to memory of 4152 2052 ijsethyt.exe ijsethyt.exe PID 2052 wrote to memory of 4152 2052 ijsethyt.exe ijsethyt.exe PID 2052 wrote to memory of 4152 2052 ijsethyt.exe ijsethyt.exe -
Executes dropped EXE 4 IoCs
Processes:
ijsethyt.exeijsethyt.exeijsethyt.exeijsethyt.exepid process 364 ijsethyt.exe 3060 ijsethyt.exe 2052 ijsethyt.exe 4152 ijsethyt.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwisom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\"" explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\update2.exe"C:\Users\Admin\AppData\Local\Temp\update2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update2.exeC:\Users\Admin\AppData\Local\Temp\update2.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tdqnfqf /tr "\"C:\Users\Admin\AppData\Local\Temp\update2.exe\" /I tdqnfqf" /SC ONCE /Z /ST 12:17 /ET 12:292⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
C:\Users\Admin\AppData\Local\Temp\update2.exeC:\Users\Admin\AppData\Local\Temp\update2.exe /I tdqnfqf1⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Windows security modification
- Turns off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update2.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN tdqnfqf2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Modifies data under HKEY_USERS
- Drops file in Windows directory
- Modifies service
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
- Modifies service
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
- Checks whether UAC is enabled
- Modifies service
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe
-
memory/364-5-0x0000000002800000-0x0000000002892000-memory.dmpFilesize
584KB
-
memory/3060-4-0x0000000002A80000-0x0000000002A81000-memory.dmpFilesize
4KB
-
memory/4152-9-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/4976-0-0x0000000002AF0000-0x0000000002AF1000-memory.dmpFilesize
4KB