Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 07:40
Static task
static1
Behavioral task
behavioral1
Sample
24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe
Resource
win7-20220901-en
windows7-x64
17 signatures
150 seconds
General
-
Target
24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe
-
Size
112KB
-
MD5
ca1bf88ed397b1fab5e1c7515dc2d8f6
-
SHA1
fb5a06914ceac7c4713e75e94d266f142a910d47
-
SHA256
24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
-
SHA512
512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
SSDEEP
3072:ucDdxsmsC8VTCLs3UqrW6glWsPzfdD8cPD8sjBuO:uqXr0MLs3I6UP7dD8c78yB
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\moteaaxo\\uulqkahc.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" majomcjl.exe -
Modifies security service 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" majomcjl.exe -
Executes dropped EXE 2 IoCs
pid Process 1736 majomcjl.exe 824 majomcjl.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uulqkahc.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uulqkahc.exe svchost.exe -
Loads dropped DLL 4 IoCs
pid Process 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 1540 cmd.exe 1540 cmd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" majomcjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" majomcjl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\UulQkahc = "C:\\Users\\Admin\\AppData\\Local\\moteaaxo\\uulqkahc.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" majomcjl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 580 svchost.exe 580 svchost.exe 824 majomcjl.exe 824 majomcjl.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeSecurityPrivilege 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe Token: SeDebugPrivilege 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe Token: SeSecurityPrivilege 2024 svchost.exe Token: SeSecurityPrivilege 580 svchost.exe Token: SeDebugPrivilege 580 svchost.exe Token: SeDebugPrivilege 580 svchost.exe Token: SeRestorePrivilege 580 svchost.exe Token: SeBackupPrivilege 580 svchost.exe Token: SeDebugPrivilege 580 svchost.exe Token: SeSecurityPrivilege 1736 majomcjl.exe Token: SeSecurityPrivilege 824 majomcjl.exe Token: SeLoadDriverPrivilege 824 majomcjl.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 2024 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 27 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 580 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 28 PID 1228 wrote to memory of 1736 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 29 PID 1228 wrote to memory of 1736 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 29 PID 1228 wrote to memory of 1736 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 29 PID 1228 wrote to memory of 1736 1228 24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe 29 PID 1736 wrote to memory of 1540 1736 majomcjl.exe 30 PID 1736 wrote to memory of 1540 1736 majomcjl.exe 30 PID 1736 wrote to memory of 1540 1736 majomcjl.exe 30 PID 1736 wrote to memory of 1540 1736 majomcjl.exe 30 PID 1540 wrote to memory of 824 1540 cmd.exe 32 PID 1540 wrote to memory of 824 1540 cmd.exe 32 PID 1540 wrote to memory of 824 1540 cmd.exe 32 PID 1540 wrote to memory of 824 1540 cmd.exe 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" majomcjl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe"C:\Users\Admin\AppData\Local\Temp\24cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Users\Admin\AppData\Local\Temp\majomcjl.exe"C:\Users\Admin\AppData\Local\Temp\majomcjl.exe" elevate2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\majomcjl.exe"" admin3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\majomcjl.exe"C:\Users\Admin\AppData\Local\Temp\majomcjl.exe" admin4⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:824
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404
-
Filesize
112KB
MD5ca1bf88ed397b1fab5e1c7515dc2d8f6
SHA1fb5a06914ceac7c4713e75e94d266f142a910d47
SHA25624cdd161a95079df18f13bec09920c294effb98661913f8bc220b2cd711a7c39
SHA512512bde4384119892e4b5dc3b597b9a8b2d8a3526516983a1e2303e4ecbcec710f3db47005a6801acb50e989b2c26d22a0f40c841a6341bfbee4bb802b2ba2404