abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698

General

Target

abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Size

34KB
MD5

16733b4c328622b2dbc4b062214cdd22
SHA1

c1ebbb333f7b8c36615f12c05d9522e3ac7ab64f
SHA256

abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698
SHA512

d3b8fc0598e1214bbe39816b8f0caa0406e7b813d3da19d11fa08f2bbcdb6cd6bc4e0f428fad70fc2859304bd8a41d9c9d12f8dcbe4d7950d7fe50762f51776e
SSDEEP

768:I+6RcpA0HJXVGQwxspJgwivSBEaoV4jZ34agYUtqZ:ILa3H2wim1oV0dJ+C

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2832-133-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2832-136-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2832-138-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wscntfy.exe	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
File opened for modification	C:\Windows\SysWOW64\wscntfy.exe	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3808	shutdown.exe
Token: SeRemoteShutdownPrivilege	3808	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
2832	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 3808	2832	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe	87
PID 2832 wrote to memory of 3808	2832	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe	87
PID 2832 wrote to memory of 3808	2832	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe

C:\Users\Admin\AppData\Local\Temp\abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe
"C:\Users\Admin\AppData\Local\Temp\abb9cc05863a9a471b365643773198df2dd34623296c3447a655274b0fba0698.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2832
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -f -t 600
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2832-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2832-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2832-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads