e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe
Size

32KB
MD5

631cac010811174ad23ec661c900fee1
SHA1

7a1a750959ea5684dcde4b1669e3817fa9a37932
SHA256

e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875
SHA512

06f80a61e31e6daf7c86250b75d1ef2b253fa14e423d00dcb9ae45aa9054cc11c6fc94e4ac658e7d51c84901f2fe7c5e513990da45bc5e937c903824c6b33da1
SSDEEP

384:IkAnu1krnSCAXmQTI/s7FOZpgLkpbahbHB4D3W4ogl4:ahCmQTI/s7FjLMahzBC7P

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 7 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\hkscmds.exe"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\hkscmds.exe	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe
File opened for modification	C:\Windows\hkscmds.exe	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
32	reg.exe
2188	reg.exe
3344	reg.exe
3432	reg.exe
4500	reg.exe
1456	reg.exe
3440	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2680	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	85
PID 4588 wrote to memory of 2680	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	85
PID 4588 wrote to memory of 2680	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	85
PID 4588 wrote to memory of 4656	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	86
PID 4588 wrote to memory of 4656	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	86
PID 4588 wrote to memory of 4656	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	86
PID 4656 wrote to memory of 32	4656	cmd.exe	90
PID 2680 wrote to memory of 204	2680	cmd.exe	89
PID 4656 wrote to memory of 32	4656	cmd.exe	90
PID 4656 wrote to memory of 32	4656	cmd.exe	90
PID 2680 wrote to memory of 204	2680	cmd.exe	89
PID 2680 wrote to memory of 204	2680	cmd.exe	89
PID 4588 wrote to memory of 3404	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	94
PID 4588 wrote to memory of 3404	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	94
PID 4588 wrote to memory of 3404	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	94
PID 4588 wrote to memory of 3700	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	96
PID 4588 wrote to memory of 3700	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	96
PID 4588 wrote to memory of 3700	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	96
PID 3404 wrote to memory of 3720	3404	cmd.exe	99
PID 3404 wrote to memory of 3720	3404	cmd.exe	99
PID 3404 wrote to memory of 3720	3404	cmd.exe	99
PID 3700 wrote to memory of 2188	3700	cmd.exe	98
PID 3700 wrote to memory of 2188	3700	cmd.exe	98
PID 3700 wrote to memory of 2188	3700	cmd.exe	98
PID 4588 wrote to memory of 628	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	100
PID 4588 wrote to memory of 628	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	100
PID 4588 wrote to memory of 628	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	100
PID 4588 wrote to memory of 740	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	101
PID 4588 wrote to memory of 740	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	101
PID 4588 wrote to memory of 740	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	101
PID 628 wrote to memory of 2820	628	cmd.exe	105
PID 628 wrote to memory of 2820	628	cmd.exe	105
PID 628 wrote to memory of 2820	628	cmd.exe	105
PID 740 wrote to memory of 3344	740	cmd.exe	104
PID 740 wrote to memory of 3344	740	cmd.exe	104
PID 740 wrote to memory of 3344	740	cmd.exe	104
PID 4588 wrote to memory of 1884	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	106
PID 4588 wrote to memory of 1884	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	106
PID 4588 wrote to memory of 1884	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	106
PID 4588 wrote to memory of 3956	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	108
PID 4588 wrote to memory of 3956	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	108
PID 4588 wrote to memory of 3956	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	108
PID 3956 wrote to memory of 3432	3956	cmd.exe	110
PID 3956 wrote to memory of 3432	3956	cmd.exe	110
PID 3956 wrote to memory of 3432	3956	cmd.exe	110
PID 1884 wrote to memory of 1284	1884	cmd.exe	111
PID 1884 wrote to memory of 1284	1884	cmd.exe	111
PID 1884 wrote to memory of 1284	1884	cmd.exe	111
PID 4588 wrote to memory of 4076	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	112
PID 4588 wrote to memory of 4076	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	112
PID 4588 wrote to memory of 4076	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	112
PID 4588 wrote to memory of 1208	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	114
PID 4588 wrote to memory of 1208	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	114
PID 4588 wrote to memory of 1208	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	114
PID 4076 wrote to memory of 5044	4076	cmd.exe	116
PID 4076 wrote to memory of 5044	4076	cmd.exe	116
PID 4076 wrote to memory of 5044	4076	cmd.exe	116
PID 1208 wrote to memory of 4500	1208	cmd.exe	117
PID 1208 wrote to memory of 4500	1208	cmd.exe	117
PID 1208 wrote to memory of 4500	1208	cmd.exe	117
PID 4588 wrote to memory of 2012	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	118
PID 4588 wrote to memory of 2012	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	118
PID 4588 wrote to memory of 2012	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	118
PID 4588 wrote to memory of 4956	4588	e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe	121

C:\Users\Admin\AppData\Local\Temp\e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe
"C:\Users\Admin\AppData\Local\Temp\e7f4ecca18bafab48354edb7350ab5ab0b958302bb22e18cae914d8979367875.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
    3⤵
    - Adds Run key to start application
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\hkscmds.exe /f
  2⤵
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads