2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

Analysis

max time kernel
193s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe
Size

829KB
MD5

0d0581a460a3cf637fe8c23c7d37d186
SHA1

6e179f50aebff9e263f25778f3dbeac84c7bcc58
SHA256

2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c
SHA512

3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b
SSDEEP

24576:o4bzLIHR5Oug2Z3MpcupcuIc/iEcJ/7sF:hL5oOLcuB/QRsF

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	nbszgdos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	nbszgdos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	nbszgdos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	nbszgdos.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	v4xlci3z8st3j0bydsxfldz.exe

Executes dropped EXE 5 IoCs

pid	Process
2580	v4xlci3z8st3j0bydsxfldz.exe
2112	nbszgdos.exe
4736	zilggyevwd.exe
1604	nbszgdos.exe
6100	v4xlci3z97boj0byd.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3448	netsh.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	nbszgdos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1"	nbszgdos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	nbszgdos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	nbszgdos.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zilggyevwd.exe	nbszgdos.exe
File created	C:\Windows\beichewhfxalelg\rng	nbszgdos.exe
File opened for modification	C:\Windows\beichewhfxalelg\rng	nbszgdos.exe
File created	C:\Windows\beichewhfxalelg\cfg	nbszgdos.exe
File created	C:\Windows\beichewhfxalelg\tst	2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe
File created	C:\Windows\zilggyevwd.exe	nbszgdos.exe
File opened for modification	C:\Windows\beichewhfxalelg\tst	nbszgdos.exe
File opened for modification	C:\Windows\beichewhfxalelg\	nbszgdos.exe
File opened for modification	C:\Windows\beichewhfxalelg\	2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe
File opened for modification	C:\Windows\beichewhfxalelg\tst	v4xlci3z8st3j0bydsxfldz.exe
File opened for modification	C:\Windows\nbszgdos.exe	v4xlci3z8st3j0bydsxfldz.exe
File created	C:\Windows\nbszgdos.exe	v4xlci3z8st3j0bydsxfldz.exe
File opened for modification	C:\Windows\beichewhfxalelg\lck	nbszgdos.exe
File created	C:\Windows\beichewhfxalelg\run	nbszgdos.exe
File opened for modification	C:\Windows\beichewhfxalelg\tst	zilggyevwd.exe
File opened for modification	C:\Windows\beichewhfxalelg\	zilggyevwd.exe
File opened for modification	C:\Windows\beichewhfxalelg\	v4xlci3z8st3j0bydsxfldz.exe
File created	C:\Windows\beichewhfxalelg\lck	v4xlci3z8st3j0bydsxfldz.exe
File created	C:\Windows\beichewhfxalelg\etc	v4xlci3z8st3j0bydsxfldz.exe
File opened for modification	C:\Windows\beichewhfxalelg\tst	nbszgdos.exe
File opened for modification	C:\Windows\beichewhfxalelg\	nbszgdos.exe
File created	C:\Windows\beichewhfxalelg\lck	nbszgdos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
2112	nbszgdos.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe
4736	zilggyevwd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2580	1380	2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe	80
PID 1380 wrote to memory of 2580	1380	2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe	80
PID 1380 wrote to memory of 2580	1380	2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe	80
PID 2112 wrote to memory of 4736	2112	nbszgdos.exe	82
PID 2112 wrote to memory of 4736	2112	nbszgdos.exe	82
PID 2112 wrote to memory of 4736	2112	nbszgdos.exe	82
PID 2112 wrote to memory of 3448	2112	nbszgdos.exe	83
PID 2112 wrote to memory of 3448	2112	nbszgdos.exe	83
PID 2112 wrote to memory of 3448	2112	nbszgdos.exe	83
PID 2580 wrote to memory of 1604	2580	v4xlci3z8st3j0bydsxfldz.exe	85
PID 2580 wrote to memory of 1604	2580	v4xlci3z8st3j0bydsxfldz.exe	85
PID 2580 wrote to memory of 1604	2580	v4xlci3z8st3j0bydsxfldz.exe	85
PID 2112 wrote to memory of 6100	2112	nbszgdos.exe	86
PID 2112 wrote to memory of 6100	2112	nbszgdos.exe	86
PID 2112 wrote to memory of 6100	2112	nbszgdos.exe	86

C:\Users\Admin\AppData\Local\Temp\2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe
"C:\Users\Admin\AppData\Local\Temp\2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\v4xlci3z8st3j0bydsxfldz.exe
  "C:\Users\Admin\AppData\Local\Temp\v4xlci3z8st3j0bydsxfldz.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\nbszgdos.exe
    "C:\Windows\nbszgdos.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1604

C:\Windows\nbszgdos.exe
C:\Windows\nbszgdos.exe
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\zilggyevwd.exe
  WATCHDOGPROC "c:\windows\nbszgdos.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:3448
- C:\Windows\TEMP\v4xlci3z97boj0byd.exe
  C:\Windows\TEMP\v4xlci3z97boj0byd.exe -r 22533 tcp
  2⤵
  - Executes dropped EXE
  PID:6100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\v4xlci3z8st3j0bydsxfldz.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4xlci3z8st3j0bydsxfldz.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
C:\Windows\TEMP\v4xlci3z97boj0byd.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\Temp\v4xlci3z97boj0byd.exe

Filesize
34KB

MD5
476f447617f65eebf35c52d4fd3b3188

SHA1
179ee6e698803a45be916f107638f01d553d6e65

SHA256
a8c7fd29a25658f115213c3516dd8f77d44d42c40f9348996443e593d878dcf0

SHA512
37c51cb92a2adaa3fdb70ae41c95f5499e25cc772020d6c701ef9ce157320017ae207896dcc0e27b9841d0b7890a8b37440bff6dfa0468dc01f72275d4c820f9

Download Submit
C:\Windows\beichewhfxalelg\etc

Filesize
10B

MD5
f88afa0fa241403dfd98c4a821363068

SHA1
51222887163b34f02dc35eaffbb127940b44ec91

SHA256
3ec913f1de6e549c24261b68f8623fcd609afcc301985d231414cbaa09e2b55e

SHA512
e836a09cab1a5d9663da898b1a23f322dfae5244ec88282b7135b2c7fda47682cf490b0bac3a1fc7555b931bfc1f12a5892ee7dedc2c9238b45e9b86ff56814b

Download Submit
C:\Windows\beichewhfxalelg\rng

Filesize
4B

MD5
3bf81e2bf6dc61706efb9a6dadc5793a

SHA1
bf1bbfb3b5aaddbc5065b8440ea616d84fad8ff2

SHA256
961ae28829f0b1cfbd073eff070ac5ea8994618c0e84fab4764367464a14b854

SHA512
354f74cb52f314226a6021c5745799d05a0c8ba21246c9717b8ce211193603c4704b72332f80576d15b14d76c8f772cd5b6fa7a10acb60fab67411573f732b1c

Download Submit
C:\Windows\beichewhfxalelg\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\beichewhfxalelg\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\beichewhfxalelg\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\beichewhfxalelg\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\nbszgdos.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
C:\Windows\nbszgdos.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
C:\Windows\nbszgdos.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
C:\Windows\zilggyevwd.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
C:\Windows\zilggyevwd.exe

Filesize
829KB

MD5
0d0581a460a3cf637fe8c23c7d37d186

SHA1
6e179f50aebff9e263f25778f3dbeac84c7bcc58

SHA256
2a817b41fcb5a4794bf4ba9b9c5be586614d349470e46797435ef15be8a2195c

SHA512
3f58f1464b6f77af100292d364e52f744e47c1b4d6a747300f07ad474ffc2a6ca2a5bd1268e04d13efe9aea2014e939a690adefa41442ed8e3d5236ab402902b

Download Submit
memory/1604-146-0x0000000000000000-mapping.dmp

Download
memory/2580-132-0x0000000000000000-mapping.dmp

Download
memory/3448-145-0x0000000000000000-mapping.dmp

Download
memory/4736-140-0x0000000000000000-mapping.dmp

Download
memory/6100-149-0x0000000000000000-mapping.dmp

Download