7e7a10eab1231e9811ddf83083492bdf4524555a74ed7271096689b17590d7fb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2022, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082e176f5b96db10f64db9e04dc61673.exe
Size

283KB
MD5

082e176f5b96db10f64db9e04dc61673
SHA1

fe424153c1d834bd00a0907daef402b46fdbff17
SHA256

7e7a10eab1231e9811ddf83083492bdf4524555a74ed7271096689b17590d7fb
SHA512

07cc030483160bc25fb2440c0d0cccb47ad3daa9be9ab245f7ebeb131eb8bb4cad8cb008410c91b0437abc4aa571f308544a7da22166d3466ce81e96cdeca759
SSDEEP

6144:GAQMQGfMMIjb+6yfZAC5Y0iq7S1/nwaIZsBBJUprJtNkyX2:GMrk5u6yfZ1Y0iCSB9asBBJ+rnOyX2

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1976	smss.exe
4404	win.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2828	netsh.exe
3664	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServerName\ImagePath = "C:\\Windows\\srvany.exe"	regedit.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000001daee-156.dat	upx
behavioral2/files/0x000a00000001daee-157.dat	upx
behavioral2/memory/4404-158-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/4404-160-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\win.exe	smss.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\csrsss.exe	win.exe
File opened for modification	C:\Windows\csrsss.exe	win.exe
File created	C:\Windows\srvany.exe	082e176f5b96db10f64db9e04dc61673.exe
File created	C:\Windows\smss.exe	082e176f5b96db10f64db9e04dc61673.exe
File opened for modification	C:\Windows\smss.exe	082e176f5b96db10f64db9e04dc61673.exe
File created	C:\Windows\1.bat	smss.exe
File opened for modification	C:\Windows\1.bat	smss.exe
File created	C:\Windows\ServerName.reg	082e176f5b96db10f64db9e04dc61673.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	win.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	win.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4884	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
1976	smss.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe
4404	win.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4984	082e176f5b96db10f64db9e04dc61673.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4984	082e176f5b96db10f64db9e04dc61673.exe
4984	082e176f5b96db10f64db9e04dc61673.exe
1976	smss.exe
1976	smss.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1976	4984	082e176f5b96db10f64db9e04dc61673.exe	84
PID 4984 wrote to memory of 1976	4984	082e176f5b96db10f64db9e04dc61673.exe	84
PID 4984 wrote to memory of 1976	4984	082e176f5b96db10f64db9e04dc61673.exe	84
PID 4984 wrote to memory of 4884	4984	082e176f5b96db10f64db9e04dc61673.exe	85
PID 4984 wrote to memory of 4884	4984	082e176f5b96db10f64db9e04dc61673.exe	85
PID 4984 wrote to memory of 4884	4984	082e176f5b96db10f64db9e04dc61673.exe	85
PID 1976 wrote to memory of 3076	1976	smss.exe	86
PID 1976 wrote to memory of 3076	1976	smss.exe	86
PID 1976 wrote to memory of 3076	1976	smss.exe	86
PID 3076 wrote to memory of 2828	3076	cmd.exe	88
PID 3076 wrote to memory of 2828	3076	cmd.exe	88
PID 3076 wrote to memory of 2828	3076	cmd.exe	88
PID 3076 wrote to memory of 3664	3076	cmd.exe	90
PID 3076 wrote to memory of 3664	3076	cmd.exe	90
PID 3076 wrote to memory of 3664	3076	cmd.exe	90
PID 3076 wrote to memory of 1980	3076	cmd.exe	91
PID 3076 wrote to memory of 1980	3076	cmd.exe	91
PID 3076 wrote to memory of 1980	3076	cmd.exe	91
PID 3076 wrote to memory of 3752	3076	cmd.exe	92
PID 3076 wrote to memory of 3752	3076	cmd.exe	92
PID 3076 wrote to memory of 3752	3076	cmd.exe	92
PID 3076 wrote to memory of 2464	3076	cmd.exe	93
PID 3076 wrote to memory of 2464	3076	cmd.exe	93
PID 3076 wrote to memory of 2464	3076	cmd.exe	93
PID 3076 wrote to memory of 4148	3076	cmd.exe	94
PID 3076 wrote to memory of 4148	3076	cmd.exe	94
PID 3076 wrote to memory of 4148	3076	cmd.exe	94
PID 3076 wrote to memory of 3724	3076	cmd.exe	95
PID 3076 wrote to memory of 3724	3076	cmd.exe	95
PID 3076 wrote to memory of 3724	3076	cmd.exe	95
PID 3076 wrote to memory of 1876	3076	cmd.exe	96
PID 3076 wrote to memory of 1876	3076	cmd.exe	96
PID 3076 wrote to memory of 1876	3076	cmd.exe	96
PID 3076 wrote to memory of 3372	3076	cmd.exe	97
PID 3076 wrote to memory of 3372	3076	cmd.exe	97
PID 3076 wrote to memory of 3372	3076	cmd.exe	97
PID 1976 wrote to memory of 4404	1976	smss.exe	98
PID 1976 wrote to memory of 4404	1976	smss.exe	98
PID 1976 wrote to memory of 4404	1976	smss.exe	98

C:\Users\Admin\AppData\Local\Temp\082e176f5b96db10f64db9e04dc61673.exe
"C:\Users\Admin\AppData\Local\Temp\082e176f5b96db10f64db9e04dc61673.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\smss.exe
  C:\Windows\smss.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\netsh.exe
      NetSh Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:2828
  - - C:\Windows\SysWOW64\netsh.exe
      Netsh Advfirewall show allprofiles
      4⤵
      Modifies Windows Firewall
      PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /d 1 /t REG_DWORD /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:3752
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /d 1 /t REG_DWORD /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /d 1 /t REG_DWORD /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:4148
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /d 1 /t REG_DWORD /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:3724
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /d 4 /t REG_DWORD /f
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\rundll32.exe
      RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters
      4⤵
      PID:3372
- - C:\Program Files\Windows NT\win.exe
    "C:\Program Files\Windows NT\win.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4404
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe -s C:\Windows\ServerName.reg
  2⤵
  - Sets service image path in registry
  - Runs .reg file with regedit
  PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\win.exe

Filesize
16KB

MD5
677f180cb0f6e41f073e396169e84da8

SHA1
535267d639c667e53d6150d45f924dbf00837488

SHA256
dac486ec62ec587f93a98ce1cdcad1314f13bd725b88a7de713f40fdb8718b1a

SHA512
e7015882e28062149886943b02718a19acf467a7f71b2efd1228bd0a840283084df4bf642829c440baa25f39048d8f3e917cfbc3eb659c054e9d3fb8d4a1dc49

Download Submit
C:\Program Files\Windows NT\win.exe

Filesize
16KB

MD5
677f180cb0f6e41f073e396169e84da8

SHA1
535267d639c667e53d6150d45f924dbf00837488

SHA256
dac486ec62ec587f93a98ce1cdcad1314f13bd725b88a7de713f40fdb8718b1a

SHA512
e7015882e28062149886943b02718a19acf467a7f71b2efd1228bd0a840283084df4bf642829c440baa25f39048d8f3e917cfbc3eb659c054e9d3fb8d4a1dc49

Download Submit
C:\Windows\1.bat

Filesize
1KB

MD5
3751c6a7204281a3d7353eb599fdb9bf

SHA1
df18425a3edd39cf4c333883447a468039999f80

SHA256
0e03c23ca35a9a2dffca6d1828088eff6ab84ba9e04a978157aabe56505879a4

SHA512
e781fb4f6eae1e9d21a75d55225523c4d41d2d7a4bce30c6a6028837a33ca6492b6453b3de04d9b09e03c060fa4cefdd6f76b748d7bc8af322d2559c73cc7934

Download Submit
C:\Windows\ServerName.reg

Filesize
1KB

MD5
c962895bea884850a2f3a5cbd8de2ac2

SHA1
09ad2ec424611edfc0b0ce031bb822bf9419b041

SHA256
75172637e79106d93db47b625e38ea050f98ad7f0bed4c52a53449392a954555

SHA512
3fcf7e02aeadae4a89f4df405c05b3fe8e63476a0c8232e02d11b98c4ce1c91e6e665a238f01a62b7676d8461902ecb0e47dfa5b33b7f6b8227e2dfe3d5332a3

Download Submit
C:\Windows\smss.exe

Filesize
296KB

MD5
8cdfb3600310132dd9ad09cb6890d9ea

SHA1
40a5d218edf0f1e7a4a92cdf49edd9cfa553e339

SHA256
cc78318ead529739bf908265a8b843a0200e2dbfde3946be81d3a966720ebdde

SHA512
26e09d28f770e40b64a71372f3000a7fbb4a2bb121966cce264fd99f5ceb36b80a1df2f3168209a5416e9c44688b5467d6eae5f225e3ace1411cc1b367777d1b

Download Submit
C:\Windows\smss.exe

Filesize
296KB

MD5
8cdfb3600310132dd9ad09cb6890d9ea

SHA1
40a5d218edf0f1e7a4a92cdf49edd9cfa553e339

SHA256
cc78318ead529739bf908265a8b843a0200e2dbfde3946be81d3a966720ebdde

SHA512
26e09d28f770e40b64a71372f3000a7fbb4a2bb121966cce264fd99f5ceb36b80a1df2f3168209a5416e9c44688b5467d6eae5f225e3ace1411cc1b367777d1b

Download Submit
memory/1976-138-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1976-139-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1976-159-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1976-140-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/4404-158-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4404-160-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4984-132-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4984-143-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4984-134-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4984-133-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download