892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5

General

Target

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Size

3.2MB
MD5

b7a3810e62d2154b356267f64746d0cb
SHA1

f80e3f795beb0003c38d5dfc0544f0a677f01c6e
SHA256

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5
SHA512

11594d377ee238d365c4250842ed51750abd8369e592bf34f0ec1b166f273f68733716b6f9d0f494d6bf27205dbf1b38a46fb833078383862c30649d8f1c989d
SSDEEP

98304:HityitqjVG2Dj8eGp3FjnANhDB8bdeZZu26mSUstHJii:HTFj8jp3FjAvOe4fmcpj

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 1 IoCs

Processes:

kill.exe

pid process

940 kill.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\kill.exe	upx
behavioral1/memory/940-61-0x0000000000400000-0x00000000006B4000-memory.dmp	upx
behavioral1/memory/940-62-0x0000000000400000-0x00000000006B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\System32\\svchosts.exe"	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosts.exe"	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Drops file in System32 directory 2 IoCs

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchosts.exe	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

916 reg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

pid process

1352 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kill.exe

description pid process

Token: SeShutdownPrivilege 940 kill.exe

pid	process
916	reg.exe

pid	process
1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

description	pid	process
Token: SeShutdownPrivilege	940	kill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

kill.exe892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

pid	process
940	kill.exe
940	kill.exe
1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 940	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 1352 wrote to memory of 940	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 1352 wrote to memory of 940	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 1352 wrote to memory of 940	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 1352 wrote to memory of 1400	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 1352 wrote to memory of 1400	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 1352 wrote to memory of 1400	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 1352 wrote to memory of 1400	1352	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 1400 wrote to memory of 916	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 916	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 916	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 916	1400	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
"C:\Users\Admin\AppData\Local\Temp\892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352

\??\c:\kill.exe
c:\kill.exe /nogui c:\kill.txt
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\kill.exe
Filesize
714KB

MD5
30f3680e007d924960fd65524de36601

SHA1
23f1e67e28052188432d2031335a79cb5ae72a8f

SHA256
6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7

SHA512
33323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a

Download Submit
\??\c:\kill.txt
Filesize
2KB

MD5
cea2b4fcf88300dfe8bcb5ca0ae763b1

SHA1
07a03da97fce66eca11f164e6c327510dbed0c34

SHA256
a92290ff7c8b37d014692b98468701dca658bba1de0fe85d6e57cdc75bd81dcd

SHA512
ff1503eb33850e201146a402bf528a92b1b13a8df276ed2beea4c73a0017a4622d88ead0a5cdafaffc89b91f6fb5eeef9ca2a4d79411ab9d5db5d4086f39d213

Download Submit
memory/916-64-0x0000000000000000-mapping.dmp

Download
memory/940-56-0x0000000000000000-mapping.dmp

Download
memory/940-58-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/940-61-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/940-62-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1352-54-0x0000000000400000-0x0000000001FB4000-memory.dmp

Filesize
27.7MB

Download
memory/1352-55-0x0000000000400000-0x0000000001FB4000-memory.dmp

Filesize
27.7MB

Download
memory/1352-60-0x0000000004880000-0x0000000004B34000-memory.dmp

Filesize
2.7MB

Download
memory/1352-66-0x0000000004880000-0x0000000004B34000-memory.dmp

Filesize
2.7MB

Download
memory/1400-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads