0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9

General

Target

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Size

96KB
MD5

44263a40c05bd699278669879bc48400
SHA1

ad63fbe8a0574618fe054ad5af736c0e1f307d57
SHA256

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9
SHA512

3606aae76d1f9a6957f5abbdcecf0c20371297af5276163cb90759eb1e5d4942ff910d6f852ab6e9fe967af4f3dce54db0706c7644095f152489fcb96db534f3
SSDEEP

1536:eLHM8BA4FC1uuo3pRGtqcyNl9kJw0w0WxIC98m4v0Omt7clhPiacslt35GWNps:x8/3pYaNMJw0JWxIC9Y7Pcslt35HN6

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Drops file in System32 directory 2 IoCs

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wscntfy.exe	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
File opened for modification	C:\Windows\SysWOW64\wscntfy.exe	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1704 shutdown.exe
Token: SeRemoteShutdownPrivilege 1704 shutdown.exe

description	pid	process
Token: SeShutdownPrivilege	1704	shutdown.exe
Token: SeRemoteShutdownPrivilege	1704	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

pid	process
4848	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
4848	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	pid	process	target process
PID 4848 wrote to memory of 1704	4848	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe	shutdown.exe
PID 4848 wrote to memory of 1704	4848	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe	shutdown.exe
PID 4848 wrote to memory of 1704	4848	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe	shutdown.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe

C:\Users\Admin\AppData\Local\Temp\0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe
"C:\Users\Admin\AppData\Local\Temp\0f7fd979073bae9a08c0dad21fa4408e1ff83b4ea8d6cc1178d5f03db44d85b9.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4848