cc78318ead529739bf908265a8b843a0200e2dbfde3946be81d3a966720ebdde

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2022, 17:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

296KB
MD5

8cdfb3600310132dd9ad09cb6890d9ea
SHA1

40a5d218edf0f1e7a4a92cdf49edd9cfa553e339
SHA256

cc78318ead529739bf908265a8b843a0200e2dbfde3946be81d3a966720ebdde
SHA512

26e09d28f770e40b64a71372f3000a7fbb4a2bb121966cce264fd99f5ceb36b80a1df2f3168209a5416e9c44688b5467d6eae5f225e3ace1411cc1b367777d1b
SSDEEP

6144:o36YlcAiTo6FwYDjaF6SVofQSuTVt88RPmyRVi2ZD:o3xi8Enj8TVt8Qmyzi2ZD

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1980	win.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2604	netsh.exe
4580	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e64d-147.dat	upx
behavioral2/files/0x000300000001e64d-148.dat	upx
behavioral2/memory/1980-149-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\win.exe	tmp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\1.bat	tmp.exe
File opened for modification	C:\Windows\1.bat	tmp.exe
File created	C:\Windows\csrsss.exe	win.exe
File opened for modification	C:\Windows\csrsss.exe	win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	win.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	win.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
3496	tmp.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe
1980	win.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3496	tmp.exe
3496	tmp.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1032	3496	tmp.exe	81
PID 3496 wrote to memory of 1032	3496	tmp.exe	81
PID 3496 wrote to memory of 1032	3496	tmp.exe	81
PID 1032 wrote to memory of 2604	1032	cmd.exe	83
PID 1032 wrote to memory of 2604	1032	cmd.exe	83
PID 1032 wrote to memory of 2604	1032	cmd.exe	83
PID 1032 wrote to memory of 4580	1032	cmd.exe	84
PID 1032 wrote to memory of 4580	1032	cmd.exe	84
PID 1032 wrote to memory of 4580	1032	cmd.exe	84
PID 1032 wrote to memory of 4928	1032	cmd.exe	85
PID 1032 wrote to memory of 4928	1032	cmd.exe	85
PID 1032 wrote to memory of 4928	1032	cmd.exe	85
PID 1032 wrote to memory of 4856	1032	cmd.exe	86
PID 1032 wrote to memory of 4856	1032	cmd.exe	86
PID 1032 wrote to memory of 4856	1032	cmd.exe	86
PID 1032 wrote to memory of 4904	1032	cmd.exe	87
PID 1032 wrote to memory of 4904	1032	cmd.exe	87
PID 1032 wrote to memory of 4904	1032	cmd.exe	87
PID 1032 wrote to memory of 4836	1032	cmd.exe	88
PID 1032 wrote to memory of 4836	1032	cmd.exe	88
PID 1032 wrote to memory of 4836	1032	cmd.exe	88
PID 1032 wrote to memory of 4696	1032	cmd.exe	91
PID 1032 wrote to memory of 4696	1032	cmd.exe	91
PID 1032 wrote to memory of 4696	1032	cmd.exe	91
PID 1032 wrote to memory of 2688	1032	cmd.exe	92
PID 1032 wrote to memory of 2688	1032	cmd.exe	92
PID 1032 wrote to memory of 2688	1032	cmd.exe	92
PID 1032 wrote to memory of 2472	1032	cmd.exe	93
PID 1032 wrote to memory of 2472	1032	cmd.exe	93
PID 1032 wrote to memory of 2472	1032	cmd.exe	93
PID 3496 wrote to memory of 1980	3496	tmp.exe	94
PID 3496 wrote to memory of 1980	3496	tmp.exe	94
PID 3496 wrote to memory of 1980	3496	tmp.exe	94

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2604
- - C:\Windows\SysWOW64\netsh.exe
    Netsh Advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /d 1 /t REG_DWORD /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /d 1 /t REG_DWORD /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /d 1 /t REG_DWORD /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /d 1 /t REG_DWORD /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /d 4 /t REG_DWORD /f
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\rundll32.exe
    RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters
    3⤵
    PID:2472
- C:\Program Files\Windows NT\win.exe
  "C:\Program Files\Windows NT\win.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\win.exe

Filesize
16KB

MD5
677f180cb0f6e41f073e396169e84da8

SHA1
535267d639c667e53d6150d45f924dbf00837488

SHA256
dac486ec62ec587f93a98ce1cdcad1314f13bd725b88a7de713f40fdb8718b1a

SHA512
e7015882e28062149886943b02718a19acf467a7f71b2efd1228bd0a840283084df4bf642829c440baa25f39048d8f3e917cfbc3eb659c054e9d3fb8d4a1dc49

Download Submit
C:\Program Files\Windows NT\win.exe

Filesize
16KB

MD5
677f180cb0f6e41f073e396169e84da8

SHA1
535267d639c667e53d6150d45f924dbf00837488

SHA256
dac486ec62ec587f93a98ce1cdcad1314f13bd725b88a7de713f40fdb8718b1a

SHA512
e7015882e28062149886943b02718a19acf467a7f71b2efd1228bd0a840283084df4bf642829c440baa25f39048d8f3e917cfbc3eb659c054e9d3fb8d4a1dc49

Download Submit
C:\Windows\1.bat

Filesize
1KB

MD5
3751c6a7204281a3d7353eb599fdb9bf

SHA1
df18425a3edd39cf4c333883447a468039999f80

SHA256
0e03c23ca35a9a2dffca6d1828088eff6ab84ba9e04a978157aabe56505879a4

SHA512
e781fb4f6eae1e9d21a75d55225523c4d41d2d7a4bce30c6a6028837a33ca6492b6453b3de04d9b09e03c060fa4cefdd6f76b748d7bc8af322d2559c73cc7934

Download Submit
memory/1980-149-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3496-132-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3496-134-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3496-133-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3496-150-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download