57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782

General

Target

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
Size

128KB
MD5

d20e0e26842b882571f015846dce7654
SHA1

020b852d40700cbf6c151f8169c7cef8fb9fe263
SHA256

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782
SHA512

7261c54db52f093be69850c821dedfedf3c2b607b9eefe4bf686c6a966389fa7621463c9ccd4a108cadc31f6d641ca04ad4a565f0648abe11e1779718250e616
SSDEEP

3072:j91MOvFFVxIs2EanGPBXGCPFCW/S7Eoatr1ao0+A6EeOQ2swbij:3xBCUbao08Eev

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

Executes dropped EXE 2 IoCs

Processes:

c1C_2Ept.exec1C_2Ept.exe

pid process

1296 c1C_2Ept.exe
1748 c1C_2Ept.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1288 netsh.exe
1928 netsh.exe

pid	process
1296	c1C_2Ept.exe
1748	c1C_2Ept.exe

pid	process
1288	netsh.exe
1928	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

pid	process
1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\c1C_2Ept = "C:\\ProgramData\\3cfdec86b2da3c13a849930b80390b04\\c1C_2Ept.exe"	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com

flow	ioc
5	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exec1C_2Ept.exe

description	pid	process	target process
PID 844 set thread context of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 1296 set thread context of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exec1C_2Ept.exe

pid process

1720 57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
1748 c1C_2Ept.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exec1C_2Ept.exec1C_2Ept.exe

description	pid	process
Token: SeDebugPrivilege	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
Token: SeDebugPrivilege	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
Token: SeDebugPrivilege	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
Token: SeDebugPrivilege	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
Token: SeDebugPrivilege	1296	c1C_2Ept.exe
Token: SeDebugPrivilege	1748	c1C_2Ept.exe
Token: SeDebugPrivilege	1748	c1C_2Ept.exe
Token: SeDebugPrivilege	1748	c1C_2Ept.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exec1C_2Ept.exec1C_2Ept.exe

description	pid	process	target process
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 844 wrote to memory of 1720	844	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
PID 1720 wrote to memory of 1288	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	netsh.exe
PID 1720 wrote to memory of 1288	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	netsh.exe
PID 1720 wrote to memory of 1288	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	netsh.exe
PID 1720 wrote to memory of 1288	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	netsh.exe
PID 1720 wrote to memory of 1296	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	c1C_2Ept.exe
PID 1720 wrote to memory of 1296	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	c1C_2Ept.exe
PID 1720 wrote to memory of 1296	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	c1C_2Ept.exe
PID 1720 wrote to memory of 1296	1720	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1296 wrote to memory of 1748	1296	c1C_2Ept.exe	c1C_2Ept.exe
PID 1748 wrote to memory of 1928	1748	c1C_2Ept.exe	netsh.exe
PID 1748 wrote to memory of 1928	1748	c1C_2Ept.exe	netsh.exe
PID 1748 wrote to memory of 1928	1748	c1C_2Ept.exe	netsh.exe
PID 1748 wrote to memory of 1928	1748	c1C_2Ept.exe	netsh.exe
PID 1748 wrote to memory of 332	1748	c1C_2Ept.exe	WScript.exe
PID 1748 wrote to memory of 332	1748	c1C_2Ept.exe	WScript.exe
PID 1748 wrote to memory of 332	1748	c1C_2Ept.exe	WScript.exe
PID 1748 wrote to memory of 332	1748	c1C_2Ept.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe

C:\Users\Admin\AppData\Local\Temp\57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
"C:\Users\Admin\AppData\Local\Temp\57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe
"C:\Users\Admin\AppData\Local\Temp\57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782.exe"
2⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:1288

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe
"C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:1928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\sAmCYqY.vbs"
5⤵
PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{1e69ee4b-0de4-3437-8433-efecf940be05}\1e69ee4b0de434378433efecf940be05

Filesize
43B

MD5
5f71d88e3eaac4c54a116fdd9ba8d2fe

SHA1
579732a460571ee67f02129d1f5611167a00c342

SHA256
96c713b1ad781b46f83ede03150f4d629eee22d7d83808a912b7fea401783170

SHA512
0a01895e382e357e51d1f691ea2ea1a254f087bcb4c937a344579ef40097bffae311e24165e4de4198e84dcefe0b8a1d7be3fdd77604665e0e3f5463a33ea078

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe

Filesize
128KB

MD5
d20e0e26842b882571f015846dce7654

SHA1
020b852d40700cbf6c151f8169c7cef8fb9fe263

SHA256
57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782

SHA512
7261c54db52f093be69850c821dedfedf3c2b607b9eefe4bf686c6a966389fa7621463c9ccd4a108cadc31f6d641ca04ad4a565f0648abe11e1779718250e616

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe

Filesize
128KB

MD5
d20e0e26842b882571f015846dce7654

SHA1
020b852d40700cbf6c151f8169c7cef8fb9fe263

SHA256
57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782

SHA512
7261c54db52f093be69850c821dedfedf3c2b607b9eefe4bf686c6a966389fa7621463c9ccd4a108cadc31f6d641ca04ad4a565f0648abe11e1779718250e616

Download Submit
C:\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe

Filesize
128KB

MD5
d20e0e26842b882571f015846dce7654

SHA1
020b852d40700cbf6c151f8169c7cef8fb9fe263

SHA256
57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782

SHA512
7261c54db52f093be69850c821dedfedf3c2b607b9eefe4bf686c6a966389fa7621463c9ccd4a108cadc31f6d641ca04ad4a565f0648abe11e1779718250e616

Download Submit
C:\ProgramData\sAmCYqY.vbs

Filesize
683B

MD5
dc6b96552041ba5a05a63673efb67f68

SHA1
41f3d12fa08777b2e75ca9cc212cce70e2ea3d16

SHA256
b11e5ae2b3f406412b2cfd18f9fb949019e4b2a4e5314f0c13f20f7a9d7c3ce6

SHA512
80720da6544b5bc85317153c355937524061a8055681ab002f49edab178bccfcb88a557b09afca45d5c6f8298638ee8b62dcac24ea9366436b3b76b4a81aedbc

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe

Filesize
128KB

MD5
d20e0e26842b882571f015846dce7654

SHA1
020b852d40700cbf6c151f8169c7cef8fb9fe263

SHA256
57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782

SHA512
7261c54db52f093be69850c821dedfedf3c2b607b9eefe4bf686c6a966389fa7621463c9ccd4a108cadc31f6d641ca04ad4a565f0648abe11e1779718250e616

Download Submit
\ProgramData\3cfdec86b2da3c13a849930b80390b04\c1C_2Ept.exe

Filesize
128KB

MD5
d20e0e26842b882571f015846dce7654

SHA1
020b852d40700cbf6c151f8169c7cef8fb9fe263

SHA256
57a8c9097c7028deefbb5b1b628d8001dea0a9134d684f4dc0d63f7de678e782

SHA512
7261c54db52f093be69850c821dedfedf3c2b607b9eefe4bf686c6a966389fa7621463c9ccd4a108cadc31f6d641ca04ad4a565f0648abe11e1779718250e616

Download Submit
memory/332-96-0x0000000000000000-mapping.dmp

Download
memory/844-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/844-67-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-69-0x0000000000000000-mapping.dmp

Download
memory/1296-73-0x0000000000000000-mapping.dmp

Download
memory/1296-87-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-61-0x000000000041750A-mapping.dmp

Download
memory/1720-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-77-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-68-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1748-95-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-84-0x000000000041750A-mapping.dmp

Download
memory/1748-99-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads