da3ac98fe7c18ae61e732c9cee9d7ed8a5808d678d4f934b3bbb434b19b2e7e4

Resubmissions

01-07-2024 01:28

240701-bv7a7avhjm 9

01-07-2024 01:19

240701-bpkj8sveqm 9

Analysis

max time kernel
593s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MW3_Chair.exe
Size

15.6MB
MD5

ce8f99f5b92137f00ef50f08d80c0dba
SHA1

daefb55e55e243f0734a9ccd4ecdaba9043ee505
SHA256

da3ac98fe7c18ae61e732c9cee9d7ed8a5808d678d4f934b3bbb434b19b2e7e4
SHA512

b83c9bd35dfae276d3d2940c153246c98aa2c53e4b1e77db2083e66ad4bcb63b179b1d6699e0f4cd808e201a79f2c1af36955bd1f22ef37cc830b91ef3df0e09
SSDEEP

393216:fyvPl1A8LtIzbhAuqTkOOqtc2BeX5N+Xy28bpa+2BIX7+k5LyCMYvK:crZtobqjkOOqq2BVXSbpaX6NRytX

Score

9^/10

evasion execution persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MW3_Chair.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MW3_Chair.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MW3_Chair.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
File created	C:\Windows\System32\drivers\winhb.sys	MW3_Chair.exe
File opened for modification	C:\Windows\System32\drivers\winhb.sys	MW3_Chair.exe
File opened for modification	C:\Windows\System32\drivers\winhb.sys	MW3_Chair.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MW3_Chair.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	MW3_Chair.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	MW3_Chair.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	MW3_Chair.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/724-0-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/724-1-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/724-2-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/724-3-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/724-14-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/724-15-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/3728-17-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/3728-16-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/3728-18-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/3728-28-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/2476-30-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/2476-31-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/2476-32-0x0000000140000000-0x0000000142290000-memory.dmp	themida
behavioral1/memory/2476-38-0x0000000140000000-0x0000000142290000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MW3_Chair.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MW3_Chair.exe

Drops file in System32 directory 6 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	MW3_Chair.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	MW3_Chair.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	MW3_Chair.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	MW3_Chair.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	MW3_Chair.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	MW3_Chair.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

pid process

724 MW3_Chair.exe
3728 MW3_Chair.exe
2476 MW3_Chair.exe

Drops file in Windows directory 3 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	ioc	process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	MW3_Chair.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	MW3_Chair.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	MW3_Chair.exe

Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4492 sc.exe
1576 sc.exe
3824 sc.exe
3572 sc.exe
4232 sc.exe
4068 sc.exe
4968 sc.exe
1560 sc.exe
5068 sc.exe
836 sc.exe
5024 sc.exe
3056 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4492	sc.exe
1576	sc.exe
3824	sc.exe
3572	sc.exe
4232	sc.exe
4068	sc.exe
4968	sc.exe
1560	sc.exe
5068	sc.exe
836	sc.exe
5024	sc.exe
3056	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exe

pid	process
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
724	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe
3728	MW3_Chair.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

664
664
664

pid	process
664
664
664

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exeMW3_Chair.exe

description	pid	process
Token: SeBackupPrivilege	724	MW3_Chair.exe
Token: SeSecurityPrivilege	724	MW3_Chair.exe
Token: SeBackupPrivilege	724	MW3_Chair.exe
Token: SeSecurityPrivilege	724	MW3_Chair.exe
Token: SeBackupPrivilege	724	MW3_Chair.exe
Token: SeSecurityPrivilege	724	MW3_Chair.exe
Token: SeBackupPrivilege	724	MW3_Chair.exe
Token: SeSecurityPrivilege	724	MW3_Chair.exe
Token: SeBackupPrivilege	3728	MW3_Chair.exe
Token: SeSecurityPrivilege	3728	MW3_Chair.exe
Token: SeBackupPrivilege	3728	MW3_Chair.exe
Token: SeSecurityPrivilege	3728	MW3_Chair.exe
Token: SeBackupPrivilege	3728	MW3_Chair.exe
Token: SeSecurityPrivilege	3728	MW3_Chair.exe
Token: SeBackupPrivilege	3728	MW3_Chair.exe
Token: SeSecurityPrivilege	3728	MW3_Chair.exe
Token: SeBackupPrivilege	2476	MW3_Chair.exe
Token: SeSecurityPrivilege	2476	MW3_Chair.exe
Token: SeBackupPrivilege	2476	MW3_Chair.exe
Token: SeSecurityPrivilege	2476	MW3_Chair.exe
Token: SeBackupPrivilege	2476	MW3_Chair.exe
Token: SeSecurityPrivilege	2476	MW3_Chair.exe
Token: SeBackupPrivilege	2476	MW3_Chair.exe
Token: SeSecurityPrivilege	2476	MW3_Chair.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MW3_Chair.exeMW3_Chair.exe

pid process

3728 MW3_Chair.exe
2476 MW3_Chair.exe

pid	process
3728	MW3_Chair.exe
2476	MW3_Chair.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MW3_Chair.execmd.execmd.execmd.execmd.exeMW3_Chair.execmd.execmd.execmd.execmd.exeMW3_Chair.execmd.execmd.exe

description	pid	process	target process
PID 724 wrote to memory of 2276	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 2276	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 2736	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 2736	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 4364	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 4364	724	MW3_Chair.exe	cmd.exe
PID 2276 wrote to memory of 5068	2276	cmd.exe	sc.exe
PID 2276 wrote to memory of 5068	2276	cmd.exe	sc.exe
PID 2736 wrote to memory of 836	2736	cmd.exe	sc.exe
PID 2736 wrote to memory of 836	2736	cmd.exe	sc.exe
PID 724 wrote to memory of 5060	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 5060	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 3660	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 3660	724	MW3_Chair.exe	cmd.exe
PID 3660 wrote to memory of 5024	3660	cmd.exe	sc.exe
PID 3660 wrote to memory of 5024	3660	cmd.exe	sc.exe
PID 724 wrote to memory of 4892	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 4892	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 1996	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 1996	724	MW3_Chair.exe	cmd.exe
PID 1996 wrote to memory of 3056	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 3056	1996	cmd.exe	sc.exe
PID 724 wrote to memory of 4908	724	MW3_Chair.exe	cmd.exe
PID 724 wrote to memory of 4908	724	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 1200	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 1200	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 3364	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 3364	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 4900	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 4900	3728	MW3_Chair.exe	cmd.exe
PID 1200 wrote to memory of 4232	1200	cmd.exe	sc.exe
PID 1200 wrote to memory of 4232	1200	cmd.exe	sc.exe
PID 3364 wrote to memory of 4068	3364	cmd.exe	sc.exe
PID 3364 wrote to memory of 4068	3364	cmd.exe	sc.exe
PID 3728 wrote to memory of 4072	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 4072	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 2744	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 2744	3728	MW3_Chair.exe	cmd.exe
PID 2744 wrote to memory of 4492	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4492	2744	cmd.exe	sc.exe
PID 3728 wrote to memory of 2976	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 2976	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 1864	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 1864	3728	MW3_Chair.exe	cmd.exe
PID 1864 wrote to memory of 4968	1864	cmd.exe	sc.exe
PID 1864 wrote to memory of 4968	1864	cmd.exe	sc.exe
PID 3728 wrote to memory of 4552	3728	MW3_Chair.exe	cmd.exe
PID 3728 wrote to memory of 4552	3728	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 3228	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 3228	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 1176	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 1176	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 2384	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 2384	2476	MW3_Chair.exe	cmd.exe
PID 3228 wrote to memory of 1576	3228	cmd.exe	sc.exe
PID 3228 wrote to memory of 1576	3228	cmd.exe	sc.exe
PID 1176 wrote to memory of 1560	1176	cmd.exe	sc.exe
PID 1176 wrote to memory of 1560	1176	cmd.exe	sc.exe
PID 2476 wrote to memory of 4944	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 4944	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 4420	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 4420	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 1136	2476	MW3_Chair.exe	cmd.exe
PID 2476 wrote to memory of 1136	2476	MW3_Chair.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe
"C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\sc.exe
sc stop iqvw64e.sys
3⤵
- Launches sc.exe
PID:5068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\sc.exe
sc delete iqvw64e.sys
3⤵
- Launches sc.exe
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\sc.exe
sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
3⤵
- Launches sc.exe
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc start windowsproc
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\sc.exe
sc start windowsproc
3⤵
- Launches sc.exe
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe
"C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\sc.exe
sc stop iqvw64e.sys
3⤵
- Launches sc.exe
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\sc.exe
sc delete iqvw64e.sys
3⤵
- Launches sc.exe
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\sc.exe
sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
3⤵
- Launches sc.exe
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc start windowsproc
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\sc.exe
sc start windowsproc
3⤵
- Launches sc.exe
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe
"C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\system32\sc.exe
sc stop iqvw64e.sys
3⤵
- Launches sc.exe
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\sc.exe
sc delete iqvw64e.sys
3⤵
- Launches sc.exe
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
2⤵
PID:1136

C:\Windows\system32\sc.exe
sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
3⤵
- Launches sc.exe
PID:3824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc start windowsproc
2⤵
PID:4904

C:\Windows\system32\sc.exe
sc start windowsproc
3⤵
- Launches sc.exe
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
1⤵
PID:184

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
ad7539b4b104e367e1c98cb63cf79d49

SHA1
02e181db0df0c6c06e09fa1f9332d335f4e33661

SHA256
6f8208f7a51de1b3736787dff5f3f4d40d454c3de60bf5ce0fe4b219b1b8e810

SHA512
782d12e61bc1e7cb9484e93a297822011cf868c151aac4ec403750027da2e1016e72e5d178a3ec8d8dd18b3de0e29a8b532c16576ca21dd1c889bd9a55a00328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
78d91717bc3c4cad84c0c4c22d8492c8

SHA1
774e1ce34d245d546f62d340d58408024d2e216c

SHA256
b6e7d543684131b038717c688fddcd69109fa7a2264f3ddbcc77b48cce1cc0c8

SHA512
22508b913df2a17336580a668911fd83d9a0a9b071269934cc1be7408f4220a0bad8d2f39ddd48de85d4f478b7366a09a657af0fee2914ce63b3342a5ec38b11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
615f25b3620243490fc82cbb6d9acdf7

SHA1
d53d7d65d00ad691cb751429390cbb8cf572f243

SHA256
7c46c91ddcb433ae3a285668ad6cc7c346f8779923ebe1c31204a2b66532f55a

SHA512
73e1bb2b077472a3aafdc2367e687b68df11fc08a11362ea17a23d2e0f7fb59188aa31a474b1897488f10264d98071407c960e432e28e6aef593784c2d2d98e0

Download Submit
C:\Windows\System32\IME\SHARED\namef.ini
Filesize
13B

MD5
54839c81584f6efe68ac87fa422cb2a5

SHA1
a56297c174ea3a5161b029f6991d3e4ab1e19136

SHA256
05019a76302524104b38bea81561801802fb157d65eee032c59d69415e73dd7f

SHA512
8d647bab273408b8a3fd9590957412056846b5561a5a01d4bc8bc9ae4fff9e6618ef962aff783ecfd0d46d9a1b41e28f8371ed33892e851f88a767b0ad81667e

Download Submit
C:\Windows\System32\drivers\winhb.sys
Filesize
2.6MB

MD5
607fa999176aff89978996e3a9cb27e3

SHA1
f3b2422c7a4742069ecf4a9eaab742cbcb1f5f21

SHA256
ee1700af169adab64827080f604e9818cdd7d4672e7d66da137f00681e4e0c38

SHA512
841469b4364d4120252b52162c80060eb145857c87373fb41d4558d2ed9e78d0ecd54e5b80670aa548e120cb70db1710992d9c32b5db5a39ba9d0a3855403b93

Download Submit
memory/724-0-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/724-1-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/724-15-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/724-3-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/724-14-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/724-4-0x00007FFD5A570000-0x00007FFD5A572000-memory.dmp

Filesize
8KB

Download
memory/724-2-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/2476-30-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/2476-31-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/2476-32-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/2476-38-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/3728-17-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/3728-18-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/3728-16-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download
memory/3728-28-0x0000000140000000-0x0000000142290000-memory.dmp

Filesize
34.6MB

Download