f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

General

Target

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Size

700KB
MD5

4d54b1b6b2eca2398045edc72ad2584c
SHA1

930452dfa938fba49346086d137c653ad0919f04
SHA256

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81
SHA512

719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d
SSDEEP

12288:dM9YxCEHsfcdN9l7IpcD9fR1f36tv4g8PcOUBimJl7CyZv6Xi:aEBsUT9JP8w7ECyZvk

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

Executes dropped EXE 2 IoCs

Processes:

dgeStorIutk.exedgeStorIutk.exe

pid process

1132 dgeStorIutk.exe
216 dgeStorIutk.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1668 netsh.exe
4952 netsh.exe

pid	process
1132	dgeStorIutk.exe
216	dgeStorIutk.exe

pid	process
1668	netsh.exe
4952	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exedgeStorIutk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dgeStorIutk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgeStorIutk = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\dgeStorIutk.exe"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 bot.whatismyipaddress.com

flow	ioc
28	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exedgeStorIutk.exe

description	pid	process	target process
PID 4788 set thread context of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 1132 set thread context of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

dgeStorIutk.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings dgeStorIutk.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exedgeStorIutk.exe

pid process

552 f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
216 dgeStorIutk.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	dgeStorIutk.exe

pid	process
552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
216	dgeStorIutk.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exef7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exedgeStorIutk.exedgeStorIutk.exe

description	pid	process
Token: SeDebugPrivilege	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Token: SeDebugPrivilege	1132	dgeStorIutk.exe
Token: SeDebugPrivilege	216	dgeStorIutk.exe
Token: SeDebugPrivilege	216	dgeStorIutk.exe
Token: SeDebugPrivilege	216	dgeStorIutk.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exef7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exedgeStorIutk.exedgeStorIutk.exe

description	pid	process	target process
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 4788 wrote to memory of 552	4788	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
PID 552 wrote to memory of 1668	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 552 wrote to memory of 1668	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 552 wrote to memory of 1668	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	netsh.exe
PID 552 wrote to memory of 1132	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	dgeStorIutk.exe
PID 552 wrote to memory of 1132	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	dgeStorIutk.exe
PID 552 wrote to memory of 1132	552	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 1132 wrote to memory of 216	1132	dgeStorIutk.exe	dgeStorIutk.exe
PID 216 wrote to memory of 4952	216	dgeStorIutk.exe	netsh.exe
PID 216 wrote to memory of 4952	216	dgeStorIutk.exe	netsh.exe
PID 216 wrote to memory of 4952	216	dgeStorIutk.exe	netsh.exe
PID 216 wrote to memory of 3784	216	dgeStorIutk.exe	WScript.exe
PID 216 wrote to memory of 3784	216	dgeStorIutk.exe	WScript.exe
PID 216 wrote to memory of 3784	216	dgeStorIutk.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe

C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
"C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe
"C:\Users\Admin\AppData\Local\Temp\f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:552

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:1668

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:4952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\CQUenmy.vbs"
5⤵
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
d7b98eaae0693864276226a61f7a70e6

SHA1
3e015ac4b41ab9203d0cf9c0ae1b557008db24b8

SHA256
7f154bccef919641bd8f82d23890441c6020bcfcc1b8361b2e7cc3e952dc7aad

SHA512
3ba6947338c27fac918a2455d1d60d787a137ac3a01043c8dcca39677dd2da4c7ca8156e9823f852ae3178ff2006ff3a80b0a00853f9d1b22a19b5b69e40843d

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\dgeStorIutk.exe

Filesize
700KB

MD5
4d54b1b6b2eca2398045edc72ad2584c

SHA1
930452dfa938fba49346086d137c653ad0919f04

SHA256
f7e8dd116279e1dc26a87d485293de70c1bb87ced53b06d254c9f1bc7bab1f81

SHA512
719c4d09b16ca13eb2e167db1f968db9b7c6f85e165834215557adc2c3924eb073d2a2c427243bf148927a00c6db131ca486022a00388c6c5b6ee18c763f8b9d

Download Submit
C:\ProgramData\CQUenmy.vbs

Filesize
685B

MD5
ab6753d3589d321dc98abad5dd2df62a

SHA1
926834db60daecc4f1c0b6b43d070da454bc68a9

SHA256
169bc1dbcf4bbbf1bf902a5728b82112402a993c82153cca504c0479f00b66bd

SHA512
1ec0edb9082b39646c1edfc53b3b9e19b6cd290522558d7d6d7ad57e0cf2dccc9352b7053c0e098d616a9ad88aa389f52d2e317f056d0467bb51472ebc43d3b2

Download Submit
memory/216-153-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/216-149-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/216-144-0x0000000000000000-mapping.dmp

Download
memory/552-137-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/552-142-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/552-136-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/552-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/552-133-0x0000000000000000-mapping.dmp

Download
memory/1132-139-0x0000000000000000-mapping.dmp

Download
memory/1132-143-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/1132-147-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/1668-138-0x0000000000000000-mapping.dmp

Download
memory/3784-151-0x0000000000000000-mapping.dmp

Download
memory/4788-132-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4788-135-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4952-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads