037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63

General

Target

037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63.exe
Size

62KB
MD5

6edd77d022c2f8f29152e072c069180d
SHA1

556a96ed5324d4c2047070c202a9ec529a00493b
SHA256

037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63
SHA512

e1be86d46ef7e4fa3ca45bb9f28683faf629c0430ea06450c940eb6d19d8f11a74e0f07af875aa03bd4ffba4fd40f607333a2c4ffaeea46b3d8e269bda04c573
SSDEEP

1536:55EuP0eL+lmnDmD8lyv6oQoZ2x5lerx0LbOMfhnMIw:HEuMeL+l0ah6om5U10ff0

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	netinfo.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	netinfo.exe

Executes dropped EXE 1 IoCs

pid	Process
636	netinfo.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	netinfo.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3180-132-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x0003000000022dfb-133.dat	upx
behavioral2/files/0x0003000000022dfb-134.dat	upx

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	netinfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	netinfo.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\orans.sys	netinfo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\netinfo.exe	037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63.exe
File created	C:\Windows\netinfo.exe	037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	netinfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	netinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	netinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	netinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	netinfo.exe

C:\Users\Admin\AppData\Local\Temp\037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63.exe
"C:\Users\Admin\AppData\Local\Temp\037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63.exe"
1⤵
- Looks for VMWare Tools registry key
- Drops file in Windows directory
PID:3180

C:\Windows\netinfo.exe
"C:\Windows\netinfo.exe"
1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\netinfo.exe

Filesize
62KB

MD5
6edd77d022c2f8f29152e072c069180d

SHA1
556a96ed5324d4c2047070c202a9ec529a00493b

SHA256
037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63

SHA512
e1be86d46ef7e4fa3ca45bb9f28683faf629c0430ea06450c940eb6d19d8f11a74e0f07af875aa03bd4ffba4fd40f607333a2c4ffaeea46b3d8e269bda04c573

Download Submit
C:\Windows\netinfo.exe

Filesize
62KB

MD5
6edd77d022c2f8f29152e072c069180d

SHA1
556a96ed5324d4c2047070c202a9ec529a00493b

SHA256
037b0b36c95863c4bda5fd253aeaad14ce2c474c9e85960c0566d1e745ba6a63

SHA512
e1be86d46ef7e4fa3ca45bb9f28683faf629c0430ea06450c940eb6d19d8f11a74e0f07af875aa03bd4ffba4fd40f607333a2c4ffaeea46b3d8e269bda04c573

Download Submit
memory/636-136-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3180-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3180-135-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads