63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5

General

Target

63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe
Size

4.4MB
MD5

2ab405c0e1a9dd350cbc1493f292e1e3
SHA1

dbda5a6cd08197da7611797f80a19965e8b58b2d
SHA256

63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5
SHA512

e8305eb7e0614e14330d86371a637f984f92537f7fadef8a2a0d42749a03c7da7ec3e4c2b65330df2601bec23e9de9c71f38c99db3a1d068d98a7b8b143096e9
SSDEEP

98304:wmzbauQbhI5m0yR1qZiB5CFFxsyHL3hpPf7MZjkklsCJ:BatbhI5m0yiFyGLr37Gjk4J

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\avg.exe"	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

Drops file in System32 directory 2 IoCs

Processes:

63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\DNT.SYS	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe
File created	C:\Windows\SysWOW64\avg.exe	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1176 1752 WerFault.exe 63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

468 reg.exe

pid	pid_target	process	target process
1176	1752	WerFault.exe	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

pid	process
468	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

pid	process
1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe
1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 1544	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	cmd.exe
PID 1752 wrote to memory of 1544	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	cmd.exe
PID 1752 wrote to memory of 1544	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	cmd.exe
PID 1752 wrote to memory of 1544	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	cmd.exe
PID 1544 wrote to memory of 468	1544	cmd.exe	reg.exe
PID 1544 wrote to memory of 468	1544	cmd.exe	reg.exe
PID 1544 wrote to memory of 468	1544	cmd.exe	reg.exe
PID 1544 wrote to memory of 468	1544	cmd.exe	reg.exe
PID 1752 wrote to memory of 1176	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	WerFault.exe
PID 1752 wrote to memory of 1176	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	WerFault.exe
PID 1752 wrote to memory of 1176	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	WerFault.exe
PID 1752 wrote to memory of 1176	1752	63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe
"C:\Users\Admin\AppData\Local\Temp\63fb4a422c9fbcd312706a7f1dfe3ba2bc538a9a2d7757cdc95f8780289ce2f5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 576
2⤵
- Program crash
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-85-0x0000000000000000-mapping.dmp

Download
memory/1176-86-0x0000000000000000-mapping.dmp

Download
memory/1544-84-0x0000000000000000-mapping.dmp

Download
memory/1752-70-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-55-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-62-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-61-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-60-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-59-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-76-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-64-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-65-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-66-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-67-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-68-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-69-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1752-88-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-56-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-63-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-75-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-74-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-73-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-77-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-78-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-79-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-80-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-81-0x0000000000400000-0x00000000024AB000-memory.dmp

Filesize
32.7MB

Download
memory/1752-82-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-83-0x0000000000400000-0x00000000024AB000-memory.dmp

Filesize
32.7MB

Download
memory/1752-57-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-58-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1752-72-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download
memory/1752-87-0x0000000000400000-0x00000000024AB000-memory.dmp

Filesize
32.7MB

Download
memory/1752-71-0x00000000004FA000-0x00000000004FCA00-memory.dmp

Filesize
10KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads