23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d

Analysis

max time kernel
159s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe
Size

796KB
MD5

64b56af0196afe85b4c242ec3c4350c0
SHA1

bf6dd3b3be7d862569b941bc2ada573d8bad92da
SHA256

23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d
SHA512

47abc8c6745df75f532c771a816fb9a7514400b5ccbc61b8b628068f3e8238506e91fe2482ab5d4bf912addd492c895eb959d9243dfae808a04508f40bb8b816
SSDEEP

24576:fvFQaGTzzyG0eEjJPC2/rPpDRXkLBtKcy2a2N6V:lChajhpYv3a2oV

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	uivednejprd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	uivednejprd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	uivednejprd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	uivednejprd.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	exlzs73z8iamfggcus4uw.exe

Executes dropped EXE 5 IoCs

pid	Process
1048	exlzs73z8iamfggcus4uw.exe
3728	uivednejprd.exe
6016	umwullmunfiw.exe
7048	uivednejprd.exe
2380	exlzs73z8luofgg.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
6980	netsh.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	uivednejprd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	uivednejprd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	uivednejprd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	uivednejprd.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\qaejoszxsfqoj\tst	23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\	23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe
File created	C:\Windows\uivednejprd.exe	exlzs73z8iamfggcus4uw.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\lck	uivednejprd.exe
File created	C:\Windows\qaejoszxsfqoj\cfg	uivednejprd.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\rng	uivednejprd.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\	umwullmunfiw.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\	uivednejprd.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\tst	exlzs73z8iamfggcus4uw.exe
File opened for modification	C:\Windows\uivednejprd.exe	exlzs73z8iamfggcus4uw.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\tst	uivednejprd.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\	uivednejprd.exe
File created	C:\Windows\qaejoszxsfqoj\rng	uivednejprd.exe
File created	C:\Windows\qaejoszxsfqoj\lck	uivednejprd.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\tst	uivednejprd.exe
File created	C:\Windows\qaejoszxsfqoj\lck	exlzs73z8iamfggcus4uw.exe
File created	C:\Windows\qaejoszxsfqoj\etc	exlzs73z8iamfggcus4uw.exe
File opened for modification	C:\Windows\umwullmunfiw.exe	uivednejprd.exe
File created	C:\Windows\qaejoszxsfqoj\run	uivednejprd.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\tst	umwullmunfiw.exe
File opened for modification	C:\Windows\qaejoszxsfqoj\	exlzs73z8iamfggcus4uw.exe
File created	C:\Windows\umwullmunfiw.exe	uivednejprd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
3728	uivednejprd.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe
6016	umwullmunfiw.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1048	2276	23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe	81
PID 2276 wrote to memory of 1048	2276	23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe	81
PID 2276 wrote to memory of 1048	2276	23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe	81
PID 3728 wrote to memory of 6016	3728	uivednejprd.exe	83
PID 3728 wrote to memory of 6016	3728	uivednejprd.exe	83
PID 3728 wrote to memory of 6016	3728	uivednejprd.exe	83
PID 3728 wrote to memory of 6980	3728	uivednejprd.exe	84
PID 3728 wrote to memory of 6980	3728	uivednejprd.exe	84
PID 3728 wrote to memory of 6980	3728	uivednejprd.exe	84
PID 1048 wrote to memory of 7048	1048	exlzs73z8iamfggcus4uw.exe	86
PID 1048 wrote to memory of 7048	1048	exlzs73z8iamfggcus4uw.exe	86
PID 1048 wrote to memory of 7048	1048	exlzs73z8iamfggcus4uw.exe	86
PID 3728 wrote to memory of 2380	3728	uivednejprd.exe	87
PID 3728 wrote to memory of 2380	3728	uivednejprd.exe	87
PID 3728 wrote to memory of 2380	3728	uivednejprd.exe	87

C:\Users\Admin\AppData\Local\Temp\23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe
"C:\Users\Admin\AppData\Local\Temp\23b36e8c767ba99b39d1bfb4561ba1d15e9cd7091650d31ce50f9d5ee0124f3d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\exlzs73z8iamfggcus4uw.exe
  "C:\Users\Admin\AppData\Local\Temp\exlzs73z8iamfggcus4uw.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\uivednejprd.exe
    "C:\Windows\uivednejprd.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:7048

C:\Windows\uivednejprd.exe
C:\Windows\uivednejprd.exe
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\umwullmunfiw.exe
  WATCHDOGPROC "c:\windows\uivednejprd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:6980
- C:\Windows\TEMP\exlzs73z8luofgg.exe
  C:\Windows\TEMP\exlzs73z8luofgg.exe -r 24964 tcp
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exlzs73z8iamfggcus4uw.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\exlzs73z8iamfggcus4uw.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit
C:\Windows\TEMP\exlzs73z8luofgg.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\Temp\exlzs73z8luofgg.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\qaejoszxsfqoj\etc

Filesize
10B

MD5
f88afa0fa241403dfd98c4a821363068

SHA1
51222887163b34f02dc35eaffbb127940b44ec91

SHA256
3ec913f1de6e549c24261b68f8623fcd609afcc301985d231414cbaa09e2b55e

SHA512
e836a09cab1a5d9663da898b1a23f322dfae5244ec88282b7135b2c7fda47682cf490b0bac3a1fc7555b931bfc1f12a5892ee7dedc2c9238b45e9b86ff56814b

Download Submit
C:\Windows\qaejoszxsfqoj\rng

Filesize
4B

MD5
3bf81e2bf6dc61706efb9a6dadc5793a

SHA1
bf1bbfb3b5aaddbc5065b8440ea616d84fad8ff2

SHA256
961ae28829f0b1cfbd073eff070ac5ea8994618c0e84fab4764367464a14b854

SHA512
354f74cb52f314226a6021c5745799d05a0c8ba21246c9717b8ce211193603c4704b72332f80576d15b14d76c8f772cd5b6fa7a10acb60fab67411573f732b1c

Download Submit
C:\Windows\qaejoszxsfqoj\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\qaejoszxsfqoj\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\qaejoszxsfqoj\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\qaejoszxsfqoj\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\uivednejprd.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit
C:\Windows\uivednejprd.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit
C:\Windows\uivednejprd.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit
C:\Windows\umwullmunfiw.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit
C:\Windows\umwullmunfiw.exe

Filesize
796KB

MD5
d16c0cfabc71266f819cf465c4e9f89a

SHA1
990e82e9a0be40842a0bfb4bad88d20867c8f65f

SHA256
e481f04a7aacc075c1ec9744f54cacb61737d57a30344763af1ec5056e93c88a

SHA512
7695f658cd0ceed4a7c69f5d37c84e03ea7992219f1a028b2ceda250a6c5f913dab520348de6b661ad85d3c7067e8e4bf112348eeec9eb6aa7c562cf142a9ed4

Download Submit