c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8

General

Target

c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe
Size

815KB
MD5

3766a64f9e354cb46d33121acafda732
SHA1

8d8cec6a7ce192fb4ef3692b215801c52db5b61b
SHA256

c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8
SHA512

85d15ce494e70daee6e349f950f5c18f7fbb0e860882df4d198347c9375801450e8b7590b000bb1d1e5e0a72a6701eb71e073124d63ca2bcbe69e1eaa2fd1ef1
SSDEEP

12288:3EwIPTZ6eX6DZloK5vP9azwRZYWPC5dO9IpZdj7zSWGPgWaxl9omTLamOAHX:30j2ZloKJQWPUdbSWGPlISmTumOA3

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "9136476"	11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "2975516"	Lsas.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "9136500"	11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "2975540"	Lsas.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	11.exe
1480	Lsas.exe

Loads dropped DLL 2 IoCs

pid	Process
1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe
1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "9136500"	11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "2975540"	Lsas.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winupdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11.exe"	11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winupdate = "C:\\WINDOWS\\Lsas.exe"	Lsas.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "9136476"	11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "2975516"	Lsas.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Ares\My Shared Folder\Mirc.exe	11.exe
File created	C:\Program Files\LimeWire\Shared\Mirc.exe	11.exe
File created	C:\Program Files\eDonkey2000\Mirc.exe	11.exe
File created	C:\Program Files\eMule\Incoming\Mirc.exe	11.exe
File created	C:\Program Files\Morpheus\My Shared Folder\Mirc.exe	11.exe
File created	C:\Program Files\Bearshare\Shared\kespersky Keys Generator.exee	11.exe
File created	C:\Program Files\Kazaa\My Shared Folder\Mirc.exe	11.exe
File created	C:\Program Files\ICQ\shared files\Mirc.exe	11.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\Lsas.exe	11.exe
File opened for modification	C:\WINDOWS\Lsas.exe	11.exe
File created	C:\WINDOWS\Systemp.txt	Lsas.exe
File opened for modification	C:\WINDOWS\Systemp.txt	Lsas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1480	Lsas.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1716	11.exe
Token: SeBackupPrivilege	1480	Lsas.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
856	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1716	11.exe
1480	Lsas.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1716	1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe	27
PID 1768 wrote to memory of 1716	1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe	27
PID 1768 wrote to memory of 1716	1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe	27
PID 1768 wrote to memory of 1716	1768	c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe	27
PID 1716 wrote to memory of 692	1716	11.exe	29
PID 1716 wrote to memory of 692	1716	11.exe	29
PID 1716 wrote to memory of 692	1716	11.exe	29
PID 1716 wrote to memory of 692	1716	11.exe	29
PID 1716 wrote to memory of 1480	1716	11.exe	31
PID 1716 wrote to memory of 1480	1716	11.exe	31
PID 1716 wrote to memory of 1480	1716	11.exe	31
PID 1716 wrote to memory of 1480	1716	11.exe	31
PID 692 wrote to memory of 1464	692	net.exe	32
PID 692 wrote to memory of 1464	692	net.exe	32
PID 692 wrote to memory of 1464	692	net.exe	32
PID 692 wrote to memory of 1464	692	net.exe	32
PID 1480 wrote to memory of 1684	1480	Lsas.exe	33
PID 1480 wrote to memory of 1684	1480	Lsas.exe	33
PID 1480 wrote to memory of 1684	1480	Lsas.exe	33
PID 1480 wrote to memory of 1684	1480	Lsas.exe	33
PID 1684 wrote to memory of 1536	1684	net.exe	35
PID 1684 wrote to memory of 1536	1684	net.exe	35
PID 1684 wrote to memory of 1536	1684	net.exe	35
PID 1684 wrote to memory of 1536	1684	net.exe	35

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "9136476"	11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "2975516"	Lsas.exe

C:\Users\Admin\AppData\Local\Temp\c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe
"C:\Users\Admin\AppData\Local\Temp\c7afe5c89ae9f8e60372cd5c7d50ed1f0700dcf284426eb740d7982fd13484a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\11.exe
  "C:\Users\Admin\AppData\Local\Temp\11.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1716
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1464
- - C:\WINDOWS\Lsas.exe
    C:\WINDOWS\Lsas.exe
    3⤵
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1480
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:1536

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
76KB

MD5
4c142313a0913a5b94ef747c84bae5ad

SHA1
8c62f621a90a17701931ff84b93ccbc32664989f

SHA256
506f7d4a6c7b0e6bb3330862a285fbcd4ecaab79016b725681cc1ffa7fb4b0cc

SHA512
1f596aa8468e1576f9558a0a040dfab84b52a224f94e830b7e029f478d4433362d3c934d253027f60f9703861984b71f36d2b3371e3298d944a181d4c3dee080

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
76KB

MD5
4c142313a0913a5b94ef747c84bae5ad

SHA1
8c62f621a90a17701931ff84b93ccbc32664989f

SHA256
506f7d4a6c7b0e6bb3330862a285fbcd4ecaab79016b725681cc1ffa7fb4b0cc

SHA512
1f596aa8468e1576f9558a0a040dfab84b52a224f94e830b7e029f478d4433362d3c934d253027f60f9703861984b71f36d2b3371e3298d944a181d4c3dee080

Download Submit
C:\Users\Admin\AppData\Local\Temp\work.jpg

Filesize
41KB

MD5
b8f86a3c6ee32d56b81be37576397964

SHA1
0671b07471998bf8507b92624a449a4364672082

SHA256
e17387722f29277130b5c0c136f0030019714642aa53f25cebb374ec74e33654

SHA512
f6dffdb9a14fab3bf1596719c65d52f31fdec96a42c93184bea1c0c218eb9cc1838e63b6c54ef8ce71c8e15c7a798ce0599e805bb491d331dc2f4218fc86b9db

Download Submit
C:\WINDOWS\Lsas.exe

Filesize
76KB

MD5
4c142313a0913a5b94ef747c84bae5ad

SHA1
8c62f621a90a17701931ff84b93ccbc32664989f

SHA256
506f7d4a6c7b0e6bb3330862a285fbcd4ecaab79016b725681cc1ffa7fb4b0cc

SHA512
1f596aa8468e1576f9558a0a040dfab84b52a224f94e830b7e029f478d4433362d3c934d253027f60f9703861984b71f36d2b3371e3298d944a181d4c3dee080

Download Submit
C:\Windows\Lsas.exe

Filesize
76KB

MD5
4c142313a0913a5b94ef747c84bae5ad

SHA1
8c62f621a90a17701931ff84b93ccbc32664989f

SHA256
506f7d4a6c7b0e6bb3330862a285fbcd4ecaab79016b725681cc1ffa7fb4b0cc

SHA512
1f596aa8468e1576f9558a0a040dfab84b52a224f94e830b7e029f478d4433362d3c934d253027f60f9703861984b71f36d2b3371e3298d944a181d4c3dee080

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe

Filesize
76KB

MD5
4c142313a0913a5b94ef747c84bae5ad

SHA1
8c62f621a90a17701931ff84b93ccbc32664989f

SHA256
506f7d4a6c7b0e6bb3330862a285fbcd4ecaab79016b725681cc1ffa7fb4b0cc

SHA512
1f596aa8468e1576f9558a0a040dfab84b52a224f94e830b7e029f478d4433362d3c934d253027f60f9703861984b71f36d2b3371e3298d944a181d4c3dee080

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe

Filesize
76KB

MD5
4c142313a0913a5b94ef747c84bae5ad

SHA1
8c62f621a90a17701931ff84b93ccbc32664989f

SHA256
506f7d4a6c7b0e6bb3330862a285fbcd4ecaab79016b725681cc1ffa7fb4b0cc

SHA512
1f596aa8468e1576f9558a0a040dfab84b52a224f94e830b7e029f478d4433362d3c934d253027f60f9703861984b71f36d2b3371e3298d944a181d4c3dee080

Download Submit
memory/1480-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-77-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1768-76-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1768-75-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads