3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2

General

Target

3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Size

502KB
MD5

3b2dacf1e426d7e1952b3aa69bf53169
SHA1

a36f9333a558a23f471bc621a2636d300bd58863
SHA256

3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2
SHA512

ae15e5d12754325cc1482ba16b18153d4abc3a6f137010b34c3a1e4dbf9847891e8cf7a377265697081ad986ebb387ff0a3d3f10c480ceb5cd2823ed16d2e065

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\xdlqdnjj\\gjddnqpa.exe"	HCfm323
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xdlqdnjj\\gjddnqpa.exe"	HCfm323

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	HCfm323

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	HCfm323

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	HCfm323

Executes dropped EXE 1 IoCs

Processes:

HCfm323

pid process

1756 HCfm323

pid	process
1756	HCfm323

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1756-61-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral1/memory/1756-64-0x0000000015190000-0x00000000151D3000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

HCfm323

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjddnqpa.exe	HCfm323
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjddnqpa.exe	HCfm323

Loads dropped DLL 1 IoCs

Processes:

3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

pid process

960 3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	HCfm323

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\GjdDnqpa = "C:\\Users\\Admin\\AppData\\Local\\xdlqdnjj\\gjddnqpa.exe"	HCfm323

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HCfm323

pid process

1756 HCfm323
1756 HCfm323
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

HCfm3233c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

pid process

1756 HCfm323
960 3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323

pid	process
1756	HCfm323
1756	HCfm323

pid	process
1756	HCfm323
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

HCfm3233c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

description	pid	process
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeSecurityPrivilege	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Token: SeSecurityPrivilege	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Token: SeSecurityPrivilege	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Token: SeSecurityPrivilege	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Token: SeSecurityPrivilege	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Token: SeSecurityPrivilege	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
Token: SeSecurityPrivilege	1756	HCfm323
Token: SeRestorePrivilege	1756	HCfm323
Token: SeBackupPrivilege	1756	HCfm323
Token: SeShutdownPrivilege	1756	HCfm323

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

pid	process
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe

description	pid	process	target process
PID 960 wrote to memory of 1756	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe	HCfm323
PID 960 wrote to memory of 1756	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe	HCfm323
PID 960 wrote to memory of 1756	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe	HCfm323
PID 960 wrote to memory of 1756	960	3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe	HCfm323

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323

C:\Users\Admin\AppData\Local\Temp\3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe
"C:\Users\Admin\AppData\Local\Temp\3c85555cebd88d75fd1f1eb19248d760b329e90bba73a9df5a438c0180a3f0b2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\HCfm323
"HCfm323"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

8

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
memory/960-54-0x0000000076571000-0x0000000076573000-memory.dmp

Filesize
8KB

Download
memory/960-60-0x00000000025A0000-0x00000000025C1000-memory.dmp

Filesize
132KB

Download
memory/1756-56-0x0000000000000000-mapping.dmp

Download
memory/1756-59-0x0000000001FC0000-0x0000000001FE1000-memory.dmp

Filesize
132KB

Download
memory/1756-61-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/1756-64-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads