d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

General

Target

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Size

128KB
MD5

98ca98af6e716cb5a6bfff5cebc1e9b4
SHA1

45b5b309ee779a139fb5ec86f1785a0c1962903a
SHA256

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5
SHA512

0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7
SSDEEP

3072:vhlM6ftRbpsd/D6/tTkM2QjBiebMRIFHVE6+o/WdWKXkYiRwbiC:NLMYP/gWKXk

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

Executes dropped EXE 2 IoCs

Processes:

IninOkenBtio3.exeIninOkenBtio3.exe

pid process

4372 IninOkenBtio3.exe
4364 IninOkenBtio3.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

5100 netsh.exe
1928 netsh.exe

pid	process
4372	IninOkenBtio3.exe
4364	IninOkenBtio3.exe

pid	process
5100	netsh.exe
1928	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exeIninOkenBtio3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	IninOkenBtio3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IninOkenBtio3 = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\IninOkenBtio3.exe"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 bot.whatismyipaddress.com

flow	ioc
51	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exeIninOkenBtio3.exe

description	pid	process	target process
PID 1368 set thread context of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 4372 set thread context of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

IninOkenBtio3.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings IninOkenBtio3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	IninOkenBtio3.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exed43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exeIninOkenBtio3.exe

pid	process
1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
4364	IninOkenBtio3.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exed43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exeIninOkenBtio3.exeIninOkenBtio3.exe

description	pid	process
Token: SeDebugPrivilege	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Token: SeDebugPrivilege	4372	IninOkenBtio3.exe
Token: SeDebugPrivilege	4364	IninOkenBtio3.exe
Token: SeDebugPrivilege	4364	IninOkenBtio3.exe
Token: SeDebugPrivilege	4364	IninOkenBtio3.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exed43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exeIninOkenBtio3.exeIninOkenBtio3.exe

description	pid	process	target process
PID 1368 wrote to memory of 4336	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4336	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4336	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 3708	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 3708	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 3708	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 1368 wrote to memory of 4652	1368	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
PID 4652 wrote to memory of 5100	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 4652 wrote to memory of 5100	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 4652 wrote to memory of 5100	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	netsh.exe
PID 4652 wrote to memory of 4372	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	IninOkenBtio3.exe
PID 4652 wrote to memory of 4372	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	IninOkenBtio3.exe
PID 4652 wrote to memory of 4372	4652	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4372 wrote to memory of 4364	4372	IninOkenBtio3.exe	IninOkenBtio3.exe
PID 4364 wrote to memory of 1928	4364	IninOkenBtio3.exe	netsh.exe
PID 4364 wrote to memory of 1928	4364	IninOkenBtio3.exe	netsh.exe
PID 4364 wrote to memory of 1928	4364	IninOkenBtio3.exe	netsh.exe
PID 4364 wrote to memory of 3996	4364	IninOkenBtio3.exe	WScript.exe
PID 4364 wrote to memory of 3996	4364	IninOkenBtio3.exe	WScript.exe
PID 4364 wrote to memory of 3996	4364	IninOkenBtio3.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe

C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
"C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
"C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe"
2⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
"C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe"
2⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe
"C:\Users\Admin\AppData\Local\Temp\d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4652

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:5100

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:1928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\LlPHJBO.vbs"
5⤵
PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
c405f2a5a15148b4d1aa8689cff81d9c

SHA1
c15865a913a5b6ce4c9aca99d1909444d7fe233f

SHA256
b5685dbd5f4d0627583aa10d491b3b154a3e671c73018774a361ae59638b9c03

SHA512
46729aa91352ca698aed5caef50cfc7a3916f50f3f130f1520f86a8813b14abb6e0411bdc69286650e44aa3fce423a4a8a84b453fd59d785f32b067ba2b48377

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\IninOkenBtio3.exe

Filesize
128KB

MD5
98ca98af6e716cb5a6bfff5cebc1e9b4

SHA1
45b5b309ee779a139fb5ec86f1785a0c1962903a

SHA256
d43f4310b033e867cf15dbe958cf5c515b1985b9101eef5fb0af7698f3d959c5

SHA512
0e78721183993822a68669a2e29fd015f98e41a6cc38154c1b774cdba28d586c4003dc8db27e2dbab6793868415d3d00c06002fe0d16bef2ea23f01684ed37b7

Download Submit
C:\ProgramData\LlPHJBO.vbs

Filesize
688B

MD5
d6d4f1e6c65e81661c0fb20dcf104336

SHA1
f67f424535773a3166ca7524b3d6dada94de01eb

SHA256
49a3f44e5252ffa66a2e341cf8a74c47f8bc8d147c22a635d6173dc2afcf99a0

SHA512
25d5d459b6849415899c9fbf902cd54d83f04a7e9e28762226b18a7d24fe1311c45bd0e57dbf41d146b532f0319312fbc49cce5e580de1d10389fbfed3551a8c

Download Submit
memory/1368-136-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1368-132-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1368-133-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1928-150-0x0000000000000000-mapping.dmp

Download
memory/3996-153-0x0000000000000000-mapping.dmp

Download
memory/4364-152-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4364-149-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4364-144-0x0000000000000000-mapping.dmp

Download
memory/4372-143-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4372-147-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4372-140-0x0000000000000000-mapping.dmp

Download
memory/4652-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4652-134-0x0000000000000000-mapping.dmp

Download
memory/4652-151-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4652-139-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4652-137-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/5100-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads