4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e

General

Target

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Size

892KB
MD5

53ac2a5394f8713b3c66ba21103ff707
SHA1

5e38feca1c8fba6746ad331f4d6435206007b1d0
SHA256

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e
SHA512

2ad8414a213082bba37b8fa191f2244d1a3b558a98cf19aaee241427410411b8f3c31daf29468458bec58de71c389f715b1fd8a2348d85b98355f85f83e3da4d

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

winversX64.exe

pid process

544 winversX64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
544	winversX64.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/892-56-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral1/memory/892-58-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral1/memory/892-60-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral1/memory/892-64-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral1/memory/892-65-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral1/memory/892-67-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
\Users\Admin\AppData\Roaming\log\winversX64.exe	upx
C:\Users\Admin\AppData\Roaming\log\winversX64.exe	upx
C:\Users\Admin\AppData\Roaming\log\winversX64.exe	upx

Loads dropped DLL 1 IoCs

Processes:

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

pid process

892 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

pid	process
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winversX64.exe4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winversX64 = "C:\\Users\\Admin\\AppData\\Roaming\\log\\winversX64.exe"	winversX64.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winversX64 = "C:\\Users\\Admin\\AppData\\Roaming\\log\\AutoUpdate.exe"	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winversX64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 icanhazip.com

flow	ioc
4	icanhazip.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/892-65-0x0000000000400000-0x00000000005C1000-memory.dmp	autoit_exe
behavioral1/memory/892-67-0x0000000000400000-0x00000000005C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

description	pid	process	target process
PID 560 set thread context of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

pid	process
560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

description pid process

Token: SeDebugPrivilege 560 4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winversX64.exe

pid process

544 winversX64.exe

description	pid	process
Token: SeDebugPrivilege	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

pid	process
544	winversX64.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.execmd.exewinversX64.execmd.exe

description	pid	process	target process
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 560 wrote to memory of 892	560	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
PID 892 wrote to memory of 1964	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 1964	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 1964	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 1964	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	netsh.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	netsh.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	netsh.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	netsh.exe
PID 892 wrote to memory of 1560	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 1560	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 1560	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 1560	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	cmd.exe
PID 892 wrote to memory of 544	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	winversX64.exe
PID 892 wrote to memory of 544	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	winversX64.exe
PID 892 wrote to memory of 544	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	winversX64.exe
PID 892 wrote to memory of 544	892	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe	winversX64.exe
PID 544 wrote to memory of 764	544	winversX64.exe	cmd.exe
PID 544 wrote to memory of 764	544	winversX64.exe	cmd.exe
PID 544 wrote to memory of 764	544	winversX64.exe	cmd.exe
PID 544 wrote to memory of 764	544	winversX64.exe	cmd.exe
PID 764 wrote to memory of 1972	764	cmd.exe	HOSTNAME.EXE
PID 764 wrote to memory of 1972	764	cmd.exe	HOSTNAME.EXE
PID 764 wrote to memory of 1972	764	cmd.exe	HOSTNAME.EXE
PID 764 wrote to memory of 1972	764	cmd.exe	HOSTNAME.EXE

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1"	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe

C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
"C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe
"C:\Users\Admin\AppData\Local\Temp\4c6cc49798a17cc509fab09a8f8618c869f6b1485d2fd673ba89842357b90c4e.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
4⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\log\pass.exe all
3⤵
PID:1560

C:\Users\Admin\AppData\Roaming\log\winversX64.exe
C:\Users\Admin\AppData\Roaming\log\winversX64.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /k HOSTNAME
4⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\HOSTNAME.EXE
HOSTNAME
5⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\log\Passwords.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\log\winversX64.exe
Filesize
426KB

MD5
360095705468a664c5f965092ae0295b

SHA1
2a485ef55c880f427e5177872e8cb57000385714

SHA256
22e15fc0a75ab319c34b73c67a665bb7ad600ccf5bceea45fa08305ce677a811

SHA512
40243726b6e382df5e7f75be5564724170d2bf23e91f0efe451d52371976c6b6040d3c23e204ec9401aa7ef295a71e4e1343e53885d9f4fd15932681a231723f

Download Submit
C:\Users\Admin\AppData\Roaming\log\winversX64.exe
Filesize
426KB

MD5
360095705468a664c5f965092ae0295b

SHA1
2a485ef55c880f427e5177872e8cb57000385714

SHA256
22e15fc0a75ab319c34b73c67a665bb7ad600ccf5bceea45fa08305ce677a811

SHA512
40243726b6e382df5e7f75be5564724170d2bf23e91f0efe451d52371976c6b6040d3c23e204ec9401aa7ef295a71e4e1343e53885d9f4fd15932681a231723f

Download Submit
\Users\Admin\AppData\Roaming\log\winversX64.exe
Filesize
426KB

MD5
360095705468a664c5f965092ae0295b

SHA1
2a485ef55c880f427e5177872e8cb57000385714

SHA256
22e15fc0a75ab319c34b73c67a665bb7ad600ccf5bceea45fa08305ce677a811

SHA512
40243726b6e382df5e7f75be5564724170d2bf23e91f0efe451d52371976c6b6040d3c23e204ec9401aa7ef295a71e4e1343e53885d9f4fd15932681a231723f

Download Submit
memory/544-73-0x0000000000000000-mapping.dmp

Download
memory/560-66-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/764-77-0x0000000000000000-mapping.dmp

Download
memory/892-61-0x000000000054BFB0-mapping.dmp

Download
memory/892-67-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/892-65-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/892-64-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/892-60-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/892-58-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/892-56-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/892-55-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/1560-71-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000000000000-mapping.dmp

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download
memory/1972-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads