892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5

General

Target

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Size

3.2MB
MD5

b7a3810e62d2154b356267f64746d0cb
SHA1

f80e3f795beb0003c38d5dfc0544f0a677f01c6e
SHA256

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5
SHA512

11594d377ee238d365c4250842ed51750abd8369e592bf34f0ec1b166f273f68733716b6f9d0f494d6bf27205dbf1b38a46fb833078383862c30649d8f1c989d
SSDEEP

98304:HityitqjVG2Dj8eGp3FjnANhDB8bdeZZu26mSUstHJii:HTFj8jp3FjAvOe4fmcpj

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 1 IoCs

Processes:

kill.exe

pid process

2320 kill.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\kill.exe	upx
\??\c:\kill.exe	upx
behavioral2/memory/2320-136-0x0000000000400000-0x00000000006B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\System32\\svchosts.exe"	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosts.exe"	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Drops file in System32 directory 2 IoCs

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchosts.exe	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

916 reg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

pid process

4252 892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

pid	process
916	reg.exe

pid	process
4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

kill.exe892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

pid	process
2320	kill.exe
2320	kill.exe
4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.execmd.exe

description	pid	process	target process
PID 4252 wrote to memory of 2320	4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 4252 wrote to memory of 2320	4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 4252 wrote to memory of 2320	4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	kill.exe
PID 4252 wrote to memory of 212	4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 4252 wrote to memory of 212	4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 4252 wrote to memory of 212	4252	892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe	cmd.exe
PID 212 wrote to memory of 916	212	cmd.exe	reg.exe
PID 212 wrote to memory of 916	212	cmd.exe	reg.exe
PID 212 wrote to memory of 916	212	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe
"C:\Users\Admin\AppData\Local\Temp\892109f5a0998026fd22f457a8cf84f9e0585e3de8e01b9348dc379938b258b5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252

\??\c:\kill.exe
c:\kill.exe /nogui c:\kill.txt
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\kill.exe
Filesize
714KB

MD5
30f3680e007d924960fd65524de36601

SHA1
23f1e67e28052188432d2031335a79cb5ae72a8f

SHA256
6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7

SHA512
33323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a

Download Submit
\??\c:\kill.exe
Filesize
714KB

MD5
30f3680e007d924960fd65524de36601

SHA1
23f1e67e28052188432d2031335a79cb5ae72a8f

SHA256
6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7

SHA512
33323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a

Download Submit
memory/212-137-0x0000000000000000-mapping.dmp

Download
memory/916-138-0x0000000000000000-mapping.dmp

Download
memory/2320-133-0x0000000000000000-mapping.dmp

Download
memory/2320-136-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/4252-132-0x0000000000400000-0x0000000001FB4000-memory.dmp

Filesize
27.7MB

Download
memory/4252-139-0x0000000000400000-0x0000000001FB4000-memory.dmp

Filesize
27.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads