c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306

Analysis

max time kernel
12s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Size

28KB
MD5

2609d2fe1548df223db36557c0da7be9
SHA1

04ed4ab181abf1fe593d861a3a80e81890b55182
SHA256

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306
SHA512

9f71824a85c4cdc7fefde91f797bf7017ec648726e82a009c52334ab2aa5c6b6209fbfb2d677439d3674383e9755aedfedbb566acdb6f793d18105ec00b9b715
SSDEEP

192:XpVH9RnW5JKaEVDVE4WMdb9EVRhoynQLdgH9C2tNVRmd8MFA93M3pkR:XEo9WMdb9khumdC2tNVwd5ASc

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exec95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

k4.exek4.exek4.exek4.exe

pid process

336 k4.exe
1452 k4.exe
336 k4.exe
1452 k4.exe

pid	process
336	k4.exe
1452	k4.exe
336	k4.exe
1452	k4.exe

Loads dropped DLL 4 IoCs

Processes:

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exec95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

pid	process
1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exec95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

k4.exek4.exe

description pid process

Token: SeLoadDriverPrivilege 1452 k4.exe
Token: SeLoadDriverPrivilege 1452 k4.exe

description	pid	process
Token: SeLoadDriverPrivilege	1452	k4.exe
Token: SeLoadDriverPrivilege	1452	k4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exec95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

pid	process
1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exec95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

description	pid	process	target process
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 336	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1452	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	k4.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe
PID 1696 wrote to memory of 1620	1696	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe	cmd.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exec95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe

C:\Users\Admin\AppData\Local\Temp\c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
"C:\Users\Admin\AppData\Local\Temp\c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe
2⤵
- Executes dropped EXE
PID:336

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe /D
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /t /im k4.exe
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe
"C:\Users\Admin\AppData\Local\Temp\c95bfa90e6d944194b787fc2bea69f1c5bf8e6acb2968442b1e132373d981306.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe
2⤵
- Executes dropped EXE
PID:336

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe /D
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /t /im k4.exe
2⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
\Users\Public\Documents\RDSv1.dll
Filesize
35KB

MD5
9a152fabf313fd30018b40a63d86f449

SHA1
6a62ea32e43064ea0151f44f7237401aba836b39

SHA256
70211052fcbc051d0a308aef6186ec15a54a14d01cb60beadebf5d6a2864eac8

SHA512
720a73bdf3bd23c45154bcc8da55fc086b79510a122cda7eb71cfab92b54592f124f101b4ab1b0759a90429d620eec938a83b3c7e800a7878d61688cdd7158c2

Download Submit
\Users\Public\Documents\RDSv1.dll
Filesize
35KB

MD5
9a152fabf313fd30018b40a63d86f449

SHA1
6a62ea32e43064ea0151f44f7237401aba836b39

SHA256
70211052fcbc051d0a308aef6186ec15a54a14d01cb60beadebf5d6a2864eac8

SHA512
720a73bdf3bd23c45154bcc8da55fc086b79510a122cda7eb71cfab92b54592f124f101b4ab1b0759a90429d620eec938a83b3c7e800a7878d61688cdd7158c2

Download Submit
\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
memory/336-59-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/336-57-0x0000000000000000-mapping.dmp

Download
memory/336-59-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/336-57-0x0000000000000000-mapping.dmp

Download
memory/1452-61-0x0000000000000000-mapping.dmp

Download
memory/1452-61-0x0000000000000000-mapping.dmp

Download
memory/1620-64-0x0000000000000000-mapping.dmp

Download
memory/1620-64-0x0000000000000000-mapping.dmp

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download