f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

General

Target

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Size

700KB
MD5

4d54b1b6b2eca2398045edc72ad2584c
SHA1

930452dfa938fba49346086d137c653ad0919f04
SHA256

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81
SHA512

719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d
SSDEEP

12288:dM9YxCEHsfcdN9l7IpcD9fR1f36tv4g8PcOUBimJl7CyZv6Xi:aEBsUT9JP8w7ECyZvk

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

Executes dropped EXE 2 IoCs

Processes:

win-crt-.exewin-crt-.exe

pid process

1288 win-crt-.exe
1572 win-crt-.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

932 netsh.exe
1076 netsh.exe

pid	process
1288	win-crt-.exe
1572	win-crt-.exe

pid	process
932	netsh.exe
1076	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

pid	process
1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\win-crt- = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\win-crt-.exe"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com

flow	ioc
5	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exewin-crt-.exe

description	pid	process	target process
PID 1008 set thread context of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1288 set thread context of 1572	1288	win-crt-.exe	win-crt-.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exewin-crt-.exe

pid process

1188 f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
1572 win-crt-.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exef7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exewin-crt-.exewin-crt-.exe

description	pid	process
Token: SeDebugPrivilege	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	1288	win-crt-.exe
Token: SeDebugPrivilege	1572	win-crt-.exe
Token: SeDebugPrivilege	1572	win-crt-.exe
Token: SeDebugPrivilege	1572	win-crt-.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exef7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exewin-crt-.exewin-crt-.exe

description	pid	process	target process
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1008 wrote to memory of 1188	1008	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1188 wrote to memory of 1076	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 1188 wrote to memory of 1076	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 1188 wrote to memory of 1076	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 1188 wrote to memory of 1076	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 1188 wrote to memory of 1288	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	win-crt-.exe
PID 1188 wrote to memory of 1288	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	win-crt-.exe
PID 1188 wrote to memory of 1288	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	win-crt-.exe
PID 1188 wrote to memory of 1288	1188	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1288 wrote to memory of 1572	1288	win-crt-.exe	win-crt-.exe
PID 1572 wrote to memory of 932	1572	win-crt-.exe	netsh.exe
PID 1572 wrote to memory of 932	1572	win-crt-.exe	netsh.exe
PID 1572 wrote to memory of 932	1572	win-crt-.exe	netsh.exe
PID 1572 wrote to memory of 932	1572	win-crt-.exe	netsh.exe
PID 1572 wrote to memory of 868	1572	win-crt-.exe	WScript.exe
PID 1572 wrote to memory of 868	1572	win-crt-.exe	WScript.exe
PID 1572 wrote to memory of 868	1572	win-crt-.exe	WScript.exe
PID 1572 wrote to memory of 868	1572	win-crt-.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
"C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
"C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe"
2⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1188

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:1076

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\pxmBOUv.vbs"
5⤵
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
3ac06c74d26cfdc7681cb83101430c10

SHA1
a370f9ad9c599b3b12ba579097a8cc1268ee8779

SHA256
7ae9348ff0696ea0aef18326580ac1098f8ea7885c621c40ac00aafcf8fb5e2c

SHA512
639059cd4ce4cf744fa83be2f60ef59ba1f4909ba80dd4796d47bc437b3391b4b316627cd79a1ad1129f760c60f41dd5228990dde12dea4e135ecc207f4e3a96

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
C:\ProgramData\pxmBOUv.vbs

Filesize
683B

MD5
fa0b09b34743539733a18ad43486d830

SHA1
a3bda6a4479e25877b672c0f241006d23aa37f38

SHA256
8e2a821525a8821ec410f111f7ca9bb14b04dbf91cb0fe2c7da0381397df814b

SHA512
c5a87831aef5d0924c886cbb8ac15cb2cba1c4c0459bb947744e08e9462e8a2deb2a70196ae168af84e5358725f758a72aa5a523a95ab112298a6b2f0336f6c2

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\win-crt-.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
memory/868-96-0x0000000000000000-mapping.dmp

Download
memory/932-93-0x0000000000000000-mapping.dmp

Download
memory/1008-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1008-67-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-69-0x0000000000000000-mapping.dmp

Download
memory/1188-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1188-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1188-61-0x000000000041750A-mapping.dmp

Download
memory/1188-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1188-68-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1188-77-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1188-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1188-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1188-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1188-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1288-87-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-73-0x0000000000000000-mapping.dmp

Download
memory/1572-84-0x000000000041750A-mapping.dmp

Download
memory/1572-94-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-99-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads