294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780

General

Target

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Size

120KB
MD5

78be10af1c9afa25c91950f3dd178ab4
SHA1

56f565846b5eb77e7edc1473f0b8113b958a5c8f
SHA256

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780
SHA512

1be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c
SSDEEP

3072:FrGsyN4JR+uvNs1z2ty21H3rZYi91DbVNKv9D:FYOys3rCinDZw

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

Executes dropped EXE 1 IoCs

Processes:

xiDSMlpro.exe

pid process

1996 xiDSMlpro.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

980 netsh.exe
320 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

pid process

1620 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

pid	process
1996	xiDSMlpro.exe

pid	process
980	netsh.exe
320	netsh.exe

pid	process
1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiDSMlpro = "C:\\ProgramData\\e015724145fa328f840ff71950e4e97e\\xiDSMlpro.exe"	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exexiDSMlpro.exe

pid process

1620 294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
1996 xiDSMlpro.exe

flow	ioc
4	bot.whatismyipaddress.com

pid	process
1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
1996	xiDSMlpro.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exexiDSMlpro.exe

description	pid	process
Token: SeDebugPrivilege	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Token: SeDebugPrivilege	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Token: SeDebugPrivilege	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Token: SeDebugPrivilege	1996	xiDSMlpro.exe
Token: SeDebugPrivilege	1996	xiDSMlpro.exe
Token: SeDebugPrivilege	1996	xiDSMlpro.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exexiDSMlpro.exe

description	pid	process	target process
PID 1620 wrote to memory of 980	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	netsh.exe
PID 1620 wrote to memory of 980	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	netsh.exe
PID 1620 wrote to memory of 980	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	netsh.exe
PID 1620 wrote to memory of 980	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	netsh.exe
PID 1620 wrote to memory of 1996	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	xiDSMlpro.exe
PID 1620 wrote to memory of 1996	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	xiDSMlpro.exe
PID 1620 wrote to memory of 1996	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	xiDSMlpro.exe
PID 1620 wrote to memory of 1996	1620	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe	xiDSMlpro.exe
PID 1996 wrote to memory of 320	1996	xiDSMlpro.exe	netsh.exe
PID 1996 wrote to memory of 320	1996	xiDSMlpro.exe	netsh.exe
PID 1996 wrote to memory of 320	1996	xiDSMlpro.exe	netsh.exe
PID 1996 wrote to memory of 320	1996	xiDSMlpro.exe	netsh.exe
PID 1996 wrote to memory of 696	1996	xiDSMlpro.exe	WScript.exe
PID 1996 wrote to memory of 696	1996	xiDSMlpro.exe	WScript.exe
PID 1996 wrote to memory of 696	1996	xiDSMlpro.exe	WScript.exe
PID 1996 wrote to memory of 696	1996	xiDSMlpro.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe

C:\Users\Admin\AppData\Local\Temp\294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe
"C:\Users\Admin\AppData\Local\Temp\294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:980

C:\ProgramData\e015724145fa328f840ff71950e4e97e\xiDSMlpro.exe
"C:\ProgramData\e015724145fa328f840ff71950e4e97e\xiDSMlpro.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\QycColt.vbs"
3⤵
PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{7e16feb9-fead-31b3-a3bc-d6c2a2e1225e}\7e16feb9fead31b3a3bcd6c2a2e1225e

Filesize
43B

MD5
bd8ae893328f2ee5fc449a0e24268cb6

SHA1
05d08e36a1bf82e1ddbf28292872ad83f0eabe6d

SHA256
97b41eb50ffb74d66d5a07fd497c91d3ecd13df5d6b70a9d1a0a1be448b44ab5

SHA512
90c12df948424797052532709beabeef1a13899b09ff551083509241487f8f03083af8e59936faa551013c516430401509ea18f20ff467a590f47d9b402acd29

Download Submit
C:\ProgramData\QycColt.vbs

Filesize
684B

MD5
487cf6cbb4564d3c8f0f37af8b3b68a2

SHA1
4961e1b5d1e6a2ce57e84acfa1a954c861851e71

SHA256
96933a2572ceef85dbcaf94700395016941f70d33102e1b03ab933d6c22c3bc7

SHA512
e0bf3f483aa0b46e8989404bf8010ce1eb93ec905d365ca9c0fb2a2db90f382f8af4118e2223b6ca7f200e7f26218f1a51c1b16dca9efcff59fb8e5051aa3daf

Download Submit
C:\ProgramData\e015724145fa328f840ff71950e4e97e\xiDSMlpro.exe

Filesize
120KB

MD5
78be10af1c9afa25c91950f3dd178ab4

SHA1
56f565846b5eb77e7edc1473f0b8113b958a5c8f

SHA256
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780

SHA512
1be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c

Download Submit
C:\ProgramData\e015724145fa328f840ff71950e4e97e\xiDSMlpro.exe

Filesize
120KB

MD5
78be10af1c9afa25c91950f3dd178ab4

SHA1
56f565846b5eb77e7edc1473f0b8113b958a5c8f

SHA256
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780

SHA512
1be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c

Download Submit
\ProgramData\e015724145fa328f840ff71950e4e97e\xiDSMlpro.exe

Filesize
120KB

MD5
78be10af1c9afa25c91950f3dd178ab4

SHA1
56f565846b5eb77e7edc1473f0b8113b958a5c8f

SHA256
294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780

SHA512
1be263f9629ed8f46ff54ec600780d9cc25086ab2dddfff4d28909eb7fab8e84b5e89ea7b1322303f4f202fd448f2a065067fc7265a0678a27a6f599fe40dd1c

Download Submit
memory/320-65-0x0000000000000000-mapping.dmp

Download
memory/696-67-0x0000000000000000-mapping.dmp

Download
memory/980-56-0x0000000000000000-mapping.dmp

Download
memory/1620-63-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1620-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-59-0x0000000000000000-mapping.dmp

Download
memory/1996-70-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-71-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads