d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

General

Target

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Size

128KB
MD5

98ca98af6e716cb5a6bfff5cebc1e9b4
SHA1

45b5b309ee779a139fb5ec86f1785a0c1962903a
SHA256

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5
SHA512

0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7
SSDEEP

3072:vhlM6ftRbpsd/D6/tTkM2QjBiebMRIFHVE6+o/WdWKXkYiRwbiC:NLMYP/gWKXk

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

Executes dropped EXE 2 IoCs

Processes:

tMdlgiTa0.exetMdlgiTa0.exe

pid process

1052 tMdlgiTa0.exe
1312 tMdlgiTa0.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

476 netsh.exe
1964 netsh.exe

pid	process
1052	tMdlgiTa0.exe
1312	tMdlgiTa0.exe

pid	process
476	netsh.exe
1964	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

pid	process
1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\tMdlgiTa0 = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\tMdlgiTa0.exe"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com

flow	ioc
5	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exetMdlgiTa0.exe

description	pid	process	target process
PID 1420 set thread context of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1052 set thread context of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exetMdlgiTa0.exe

pid process

1984 d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
1312 tMdlgiTa0.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exed43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exetMdlgiTa0.exetMdlgiTa0.exe

description	pid	process
Token: SeDebugPrivilege	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	1052	tMdlgiTa0.exe
Token: SeDebugPrivilege	1312	tMdlgiTa0.exe
Token: SeDebugPrivilege	1312	tMdlgiTa0.exe
Token: SeDebugPrivilege	1312	tMdlgiTa0.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exed43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exetMdlgiTa0.exetMdlgiTa0.exe

description	pid	process	target process
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1420 wrote to memory of 1984	1420	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1984 wrote to memory of 476	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 1984 wrote to memory of 476	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 1984 wrote to memory of 476	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 1984 wrote to memory of 476	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 1984 wrote to memory of 1052	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	tMdlgiTa0.exe
PID 1984 wrote to memory of 1052	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	tMdlgiTa0.exe
PID 1984 wrote to memory of 1052	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	tMdlgiTa0.exe
PID 1984 wrote to memory of 1052	1984	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1052 wrote to memory of 1312	1052	tMdlgiTa0.exe	tMdlgiTa0.exe
PID 1312 wrote to memory of 1964	1312	tMdlgiTa0.exe	netsh.exe
PID 1312 wrote to memory of 1964	1312	tMdlgiTa0.exe	netsh.exe
PID 1312 wrote to memory of 1964	1312	tMdlgiTa0.exe	netsh.exe
PID 1312 wrote to memory of 1964	1312	tMdlgiTa0.exe	netsh.exe
PID 1312 wrote to memory of 1880	1312	tMdlgiTa0.exe	WScript.exe
PID 1312 wrote to memory of 1880	1312	tMdlgiTa0.exe	WScript.exe
PID 1312 wrote to memory of 1880	1312	tMdlgiTa0.exe	WScript.exe
PID 1312 wrote to memory of 1880	1312	tMdlgiTa0.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
"C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
"C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe"
2⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:476

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:1964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\RKUTjEo.vbs"
5⤵
PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
13f633e687377315a794c44697c197ea

SHA1
6de424807f1b73c24200050fd01670010ec534ce

SHA256
1e6b5f58e8505dc4d8447f6b1488bdaa0a7545a58be8eacfae02368d44beffac

SHA512
66520c5260e65565e8d99218f88477fd4b6c60ec8e8ad4c14258cec307304e4ba57c1217055c70d9bad2084bd1a3b1f2c144b0abf6fd2c8ed9307b877453cdf8

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
C:\ProgramData\RKUTjEo.vbs

Filesize
684B

MD5
632cbf91fe5558f76df0c55163122541

SHA1
3af76520cff3d928a66a6f997a6ac0ba18bb9eef

SHA256
6adbd648e243599151cb272ebb7ed142d11b12b91b84f4b3b1a5203c65d27ddd

SHA512
0641ac2d1f863394821a698b71b0f220cac8ac71c116839fcf79cff99117108ce9452203ec5ac07c2933b30ec8c466e2b72fbf35f5d61c55e920b8e895995cd8

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\tMdlgiTa0.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
memory/476-69-0x0000000000000000-mapping.dmp

Download
memory/1052-90-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-75-0x0000000000000000-mapping.dmp

Download
memory/1312-100-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/1312-86-0x000000000041750A-mapping.dmp

Download
memory/1312-101-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/1420-66-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1420-63-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-97-0x0000000000000000-mapping.dmp

Download
memory/1964-95-0x0000000000000000-mapping.dmp

Download
memory/1984-72-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-79-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-70-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-61-0x000000000041750A-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads