b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb

General

Target

b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe
Size

28KB
MD5

2a3827d7c6831d8c8d23f3657ce93ff1
SHA1

a0f7b8b198c6d477e45f89efbcb13d18d63bc370
SHA256

b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb
SHA512

044aeb14f570d875c59211baecad09808acd0a6a4532429eb9f4d39fdf790ebc37241dda21ba38717271b427456f0c9c6d54ba23bb3dd8484d7be527183505c1
SSDEEP

192:8eM4p2ULqHtLS0p9U4J2MjGls5l4W+6OfMSs5nu1Xw0zsE9UP1oyntcyD:V57Qt2bq285l4dMSs5u1RX961l

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	indax.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2032	netsh.exe
560	netsh.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\indax.exe	b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2032	2028	b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe	28
PID 2028 wrote to memory of 2032	2028	b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe	28
PID 2028 wrote to memory of 2032	2028	b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe	28
PID 2028 wrote to memory of 2032	2028	b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe	28
PID 1676 wrote to memory of 560	1676	indax.exe	31
PID 1676 wrote to memory of 560	1676	indax.exe	31
PID 1676 wrote to memory of 560	1676	indax.exe	31
PID 1676 wrote to memory of 560	1676	indax.exe	31

C:\Users\Admin\AppData\Local\Temp\b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe
"C:\Users\Admin\AppData\Local\Temp\b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set portopening TCP 219 \"Multimedia Object Scheduler\"
  2⤵
  - Modifies Windows Firewall
  PID:2032

C:\Windows\SysWOW64\indax.exe
C:\Windows\SysWOW64\indax.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set portopening TCP 219 \"Multimedia Object Scheduler\"
  2⤵
  - Modifies Windows Firewall
  - Modifies data under HKEY_USERS
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\indax.exe

Filesize
28KB

MD5
2a3827d7c6831d8c8d23f3657ce93ff1

SHA1
a0f7b8b198c6d477e45f89efbcb13d18d63bc370

SHA256
b34c73178ecf7b16feb87e7ca211a6edf07f11622ed093e9580ae79240b6d2bb

SHA512
044aeb14f570d875c59211baecad09808acd0a6a4532429eb9f4d39fdf790ebc37241dda21ba38717271b427456f0c9c6d54ba23bb3dd8484d7be527183505c1

Download Submit
memory/2032-57-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing