8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79

General

Target

8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Size

15KB
MD5

e1307845110562239b94640d08755fbf
SHA1

c6452c0d8a7138f37e1d97bd827c9f0da4a09582
SHA256

8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79
SHA512

b298a164acc14cd2a98861ae25005541c166955fdf02fa0ba1ddfcbac4592dd2e4be3df000d3ce23df99b50029c227295814ec26c65fcc47bbc640d99a7c52ee
SSDEEP

384:YXMRDbYNp5T83uXkao2mq+VANj3O8q3Ltln8ka+0PlRcli:l1bYNT83uXka+VANj+3xlnLP0PMl

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2504	k4.exe
5076	k4.exe
2504	k4.exe
5076	k4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4800-132-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4800-132-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2504	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	85
PID 4800 wrote to memory of 2504	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	85
PID 4800 wrote to memory of 5076	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	86
PID 4800 wrote to memory of 5076	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	86
PID 4800 wrote to memory of 2504	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	173
PID 4800 wrote to memory of 2504	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	173
PID 4800 wrote to memory of 5076	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	174
PID 4800 wrote to memory of 5076	4800	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe	174

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe

C:\Users\Admin\AppData\Local\Temp\8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
"C:\Users\Admin\AppData\Local\Temp\8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4800
- C:\Users\Public\Documents\k4.exe
  C:/Users/Public/Documents/k4.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Users\Public\Documents\k4.exe
  C:/Users/Public/Documents/k4.exe /D
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /t /im k4.exe
  2⤵
  PID:4228

C:\Users\Admin\AppData\Local\Temp\8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe
"C:\Users\Admin\AppData\Local\Temp\8dba90b3c3a6aa0910626ec52d76104895da7591f8b9e04a67392a179f67eb79.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4800
- C:\Users\Public\Documents\k4.exe
  C:/Users/Public/Documents/k4.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Users\Public\Documents\k4.exe
  C:/Users/Public/Documents/k4.exe /D
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /t /im k4.exe
  2⤵
  PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\RDSv1.dll

Filesize
1.1MB

MD5
d476c88087a2ca24d7e4d4b03dd83992

SHA1
e71ea8ca8a34fbc711593b156445717f77b0fb17

SHA256
130d3f07cad864d90ca717b22da75f19fd4c712cabdbf1b511c591f1097af0b8

SHA512
0ed1a276a4c0f2b9e6017d439e28c608d50cf8971c85954bf9b730815c478e2fec1c0368acc7f6f1f924d297c6242087b74093a23026ad836734ce311cafafca

Download Submit
C:\Users\Public\Documents\RDSv1.dll

Filesize
1.1MB

MD5
d476c88087a2ca24d7e4d4b03dd83992

SHA1
e71ea8ca8a34fbc711593b156445717f77b0fb17

SHA256
130d3f07cad864d90ca717b22da75f19fd4c712cabdbf1b511c591f1097af0b8

SHA512
0ed1a276a4c0f2b9e6017d439e28c608d50cf8971c85954bf9b730815c478e2fec1c0368acc7f6f1f924d297c6242087b74093a23026ad836734ce311cafafca

Download Submit
C:\Users\Public\Documents\k4.exe

Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe

Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe

Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe

Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe

Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe

Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
memory/4800-132-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4800-138-0x00000000762F0000-0x0000000076490000-memory.dmp

Filesize
1.6MB

Download
memory/4800-1482-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/4800-1488-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/4800-132-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4800-1481-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/4800-134-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/4800-135-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/4800-136-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/4800-1488-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/4800-139-0x0000000075A00000-0x0000000075A7A000-memory.dmp

Filesize
488KB

Download
memory/4800-1481-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/4800-1482-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/4800-139-0x0000000075A00000-0x0000000075A7A000-memory.dmp

Filesize
488KB

Download
memory/4800-138-0x00000000762F0000-0x0000000076490000-memory.dmp

Filesize
1.6MB

Download
memory/4800-136-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/4800-134-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/4800-135-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads