3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe
Size

1.2MB
MD5

5ae8e73402852124ab3a71c58d359d50
SHA1

94dff99beb0d0fc55ac33e913c714402bcd1b252
SHA256

3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c
SHA512

e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971
SSDEEP

24576:Yf7JHrKwBGwsJWARhuc7UgCYykGIwQ0xPtOlMZm9OneqYdpobTYgqXLXYA:OprKwBGqA/ujpfQKPtsMYoeZAYfbZ

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	fvegtybxd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	fvegtybxd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	fvegtybxd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	fvegtybxd.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	ujdjlbj3z7rqwjc9fomcznuu.exe

Executes dropped EXE 5 IoCs

pid	Process
1560	ujdjlbj3z7rqwjc9fomcznuu.exe
5672	fvegtybxd.exe
6624	xvfcuogjjz.exe
7684	fvegtybxd.exe
204	ujdjlbj3z7ukwjc9.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
7612	netsh.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	fvegtybxd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	fvegtybxd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	fvegtybxd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	fvegtybxd.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fnhzelp\tst	fvegtybxd.exe
File created	C:\Windows\fnhzelp\cfg	fvegtybxd.exe
File opened for modification	C:\Windows\fnhzelp\	fvegtybxd.exe
File opened for modification	C:\Windows\fnhzelp\	3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe
File opened for modification	C:\Windows\fnhzelp\	ujdjlbj3z7rqwjc9fomcznuu.exe
File created	C:\Windows\fvegtybxd.exe	ujdjlbj3z7rqwjc9fomcznuu.exe
File opened for modification	C:\Windows\fnhzelp\lck	fvegtybxd.exe
File opened for modification	C:\Windows\xvfcuogjjz.exe	fvegtybxd.exe
File opened for modification	C:\Windows\fnhzelp\tst	xvfcuogjjz.exe
File created	C:\Windows\fnhzelp\lck	fvegtybxd.exe
File created	C:\Windows\fnhzelp\tst	3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe
File created	C:\Windows\fnhzelp\run	fvegtybxd.exe
File opened for modification	C:\Windows\fnhzelp\	xvfcuogjjz.exe
File opened for modification	C:\Windows\fvegtybxd.exe	ujdjlbj3z7rqwjc9fomcznuu.exe
File opened for modification	C:\Windows\fnhzelp\	fvegtybxd.exe
File created	C:\Windows\xvfcuogjjz.exe	fvegtybxd.exe
File created	C:\Windows\fnhzelp\rng	fvegtybxd.exe
File opened for modification	C:\Windows\fnhzelp\rng	fvegtybxd.exe
File opened for modification	C:\Windows\fnhzelp\tst	ujdjlbj3z7rqwjc9fomcznuu.exe
File created	C:\Windows\fnhzelp\lck	ujdjlbj3z7rqwjc9fomcznuu.exe
File created	C:\Windows\fnhzelp\etc	ujdjlbj3z7rqwjc9fomcznuu.exe
File opened for modification	C:\Windows\fnhzelp\tst	fvegtybxd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
5672	fvegtybxd.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe
6624	xvfcuogjjz.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1560	2396	3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe	84
PID 2396 wrote to memory of 1560	2396	3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe	84
PID 2396 wrote to memory of 1560	2396	3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe	84
PID 5672 wrote to memory of 6624	5672	fvegtybxd.exe	86
PID 5672 wrote to memory of 6624	5672	fvegtybxd.exe	86
PID 5672 wrote to memory of 6624	5672	fvegtybxd.exe	86
PID 5672 wrote to memory of 7612	5672	fvegtybxd.exe	87
PID 5672 wrote to memory of 7612	5672	fvegtybxd.exe	87
PID 5672 wrote to memory of 7612	5672	fvegtybxd.exe	87
PID 1560 wrote to memory of 7684	1560	ujdjlbj3z7rqwjc9fomcznuu.exe	89
PID 1560 wrote to memory of 7684	1560	ujdjlbj3z7rqwjc9fomcznuu.exe	89
PID 1560 wrote to memory of 7684	1560	ujdjlbj3z7rqwjc9fomcznuu.exe	89
PID 5672 wrote to memory of 204	5672	fvegtybxd.exe	90
PID 5672 wrote to memory of 204	5672	fvegtybxd.exe	90
PID 5672 wrote to memory of 204	5672	fvegtybxd.exe	90

C:\Users\Admin\AppData\Local\Temp\3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe
"C:\Users\Admin\AppData\Local\Temp\3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\ujdjlbj3z7rqwjc9fomcznuu.exe
  "C:\Users\Admin\AppData\Local\Temp\ujdjlbj3z7rqwjc9fomcznuu.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\fvegtybxd.exe
    "C:\Windows\fvegtybxd.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:7684

C:\Windows\fvegtybxd.exe
C:\Windows\fvegtybxd.exe
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5672
- C:\Windows\xvfcuogjjz.exe
  WATCHDOGPROC "c:\windows\fvegtybxd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6624
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:7612
- C:\Windows\TEMP\ujdjlbj3z7ukwjc9.exe
  C:\Windows\TEMP\ujdjlbj3z7ukwjc9.exe -r 20231 tcp
  2⤵
  - Executes dropped EXE
  PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ujdjlbj3z7rqwjc9fomcznuu.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujdjlbj3z7rqwjc9fomcznuu.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit
C:\Windows\TEMP\ujdjlbj3z7ukwjc9.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\Temp\ujdjlbj3z7ukwjc9.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\fnhzelp\etc

Filesize
10B

MD5
f88afa0fa241403dfd98c4a821363068

SHA1
51222887163b34f02dc35eaffbb127940b44ec91

SHA256
3ec913f1de6e549c24261b68f8623fcd609afcc301985d231414cbaa09e2b55e

SHA512
e836a09cab1a5d9663da898b1a23f322dfae5244ec88282b7135b2c7fda47682cf490b0bac3a1fc7555b931bfc1f12a5892ee7dedc2c9238b45e9b86ff56814b

Download Submit
C:\Windows\fnhzelp\rng

Filesize
4B

MD5
40497c86020084c2bbf5445cd18d597a

SHA1
bd3e974b3c0619c84b98c0be0aabf91f4101bc64

SHA256
95289b2dda0e64fd15afd08d382f6af6a1cf08d74d1dc4e3b607d8ca89f23760

SHA512
b2d5bbd49a298259676b4ea9f0fa318f1286aac256ff69250d17a9ed96519ad564be1edd5d4f805e5f60d1fad1249c64f1491e9c2b1d19387220d646cf286779

Download Submit
C:\Windows\fnhzelp\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\fnhzelp\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\fnhzelp\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\fnhzelp\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\fvegtybxd.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit
C:\Windows\fvegtybxd.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit
C:\Windows\fvegtybxd.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit
C:\Windows\xvfcuogjjz.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit
C:\Windows\xvfcuogjjz.exe

Filesize
1.2MB

MD5
5ae8e73402852124ab3a71c58d359d50

SHA1
94dff99beb0d0fc55ac33e913c714402bcd1b252

SHA256
3729e11b37b1d9bbbed4a48b0280b5e37feee694485bb5ad7e37b13c5054806c

SHA512
e244f91061932dfd2d1c9adfde57d5417681a7a4ad3b661432b8601f571dbe390c1d8f73ca856ae49b60031df0f29bb8caf2ac94060600b2d1d9eae63b8d8971

Download Submit