271d8bf13f96188684e0f68446f16084ec6d8c231837c45e3ec3ebb73062574d

Resubmissions

23/02/2023, 14:03

230223-rcnzwsga69 10

20/01/2023, 12:25

16/01/2023, 12:00

15/01/2023, 04:12

15/01/2023, 04:01

15/01/2023, 03:56

15/01/2023, 01:02

15/01/2023, 00:38

Analysis

max time kernel
303s
max time network
403s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2023, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
Size

1.6MB
MD5

9f7aaf3a9a3f325dd533ecc38d85a351
SHA1

1ebdc55b96e11d9b924fbba8c5fa1799ff247970
SHA256

88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd
SHA512

0afdcb5362be67938d00baaeb3974af3ad2b7342c8024ec2390ce87bad4c6252e4c8277a0bb36979cdcb4036aa9f7dc93ac23f78acdd04033c3086fa3fd7286f
SSDEEP

24576:yWmAFubS9dt9Mcp5CPu4YV5GaCxYiluVuTY4PRVGEw6GPDp5MwNrsJjF2GKGI8L:q29dRpYW4YV5QxYiET8ahPDMwNrs2y

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

Executes dropped EXE 2 IoCs

pid	Process
816	Engine.exe
3076	Champion.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022deb-133.dat	upx
behavioral1/files/0x0006000000022deb-134.dat	upx
behavioral1/memory/816-140-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/816-161-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/816-162-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	eth0.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3076 set thread context of 4080	3076	Champion.exe.pif	106

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{8DAE9737-B40D-49B7-94AF-C396EFD1F64F}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{88988205-1091-4C47-A249-CF8658681C9B}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	calc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1160	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4080	jsc.exe
Token: SeManageVolumePrivilege	1968	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3076	Champion.exe.pif
3076	Champion.exe.pif
3076	Champion.exe.pif

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
796	OpenWith.exe
3476	OpenWith.exe
736	OpenWith.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 816	2192	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	82
PID 2192 wrote to memory of 816	2192	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	82
PID 2192 wrote to memory of 816	2192	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	82
PID 816 wrote to memory of 2372	816	Engine.exe	83
PID 816 wrote to memory of 2372	816	Engine.exe	83
PID 816 wrote to memory of 2372	816	Engine.exe	83
PID 2372 wrote to memory of 2896	2372	cmd.exe	86
PID 2372 wrote to memory of 2896	2372	cmd.exe	86
PID 2372 wrote to memory of 2896	2372	cmd.exe	86
PID 2896 wrote to memory of 1536	2896	cmd.exe	90
PID 2896 wrote to memory of 1536	2896	cmd.exe	90
PID 2896 wrote to memory of 1536	2896	cmd.exe	90
PID 2896 wrote to memory of 4060	2896	cmd.exe	91
PID 2896 wrote to memory of 4060	2896	cmd.exe	91
PID 2896 wrote to memory of 4060	2896	cmd.exe	91
PID 2896 wrote to memory of 4772	2896	cmd.exe	95
PID 2896 wrote to memory of 4772	2896	cmd.exe	95
PID 2896 wrote to memory of 4772	2896	cmd.exe	95
PID 2896 wrote to memory of 3076	2896	cmd.exe	96
PID 2896 wrote to memory of 3076	2896	cmd.exe	96
PID 2896 wrote to memory of 3076	2896	cmd.exe	96
PID 2896 wrote to memory of 1160	2896	cmd.exe	97
PID 2896 wrote to memory of 1160	2896	cmd.exe	97
PID 2896 wrote to memory of 1160	2896	cmd.exe	97
PID 3076 wrote to memory of 4080	3076	Champion.exe.pif	106
PID 3076 wrote to memory of 4080	3076	Champion.exe.pif	106
PID 3076 wrote to memory of 4080	3076	Champion.exe.pif	106
PID 3076 wrote to memory of 4080	3076	Champion.exe.pif	106
PID 3076 wrote to memory of 4080	3076	Champion.exe.pif	106

C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
"C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe /TH_ID=_2592 /OriginExe="C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < 4
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ibXEdmiVmigethPmiCeveAlmmdbbRGVlGZgkrkVHBRdIphNCcvDTejGGhntqwKrSktcyZDvWGxUklCdjCVwceeizaHYEiVGRNbvySICSZHhIac$" 45
        5⤵
        
        PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\7269\Champion.exe.pif
        
        7269\\Champion.exe.pif 7269\\S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        UAC bypass
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 18
        5⤵
        Runs ping.exe
        
        PID:1160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
1⤵
- Modifies registry class
PID:632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0e9fe0c5a7ab9bac3d206aaef763743c

SHA1
b2fe1b69b2220ade96f8e10eeb4301ce2245a48f

SHA256
988704213194f865ffeb8f8207cfa80a2cc912d493d414de74e243ec23610cfb

SHA512
dddf48e4aa8bd65316a9bf3859422acf9abc1bb07df6b916e6f2f87709fc48c22cd6c474fc807e2fc8694a1c6323f6bece1c83273877b640cf7377236fc370ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\7269\Champion.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\00000#4

Filesize
12KB

MD5
4839bb17c0c82a044dbd0072c6c98cb6

SHA1
3c06dcc178dd8a8e2290b746cfc7e704a537c91f

SHA256
a7e6636cd2ba510513484cfea9201884f64f7b664951402b909caf9728704ec2

SHA512
13d607b989efca3105363a10f481ef02fdcfcd5da4a267da0b87f3f2417456e672337c8e6332e0be286f6401bea203149a1cd23a24a8006f689b32e9d6199b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\00001#45

Filesize
872KB

MD5
a3b85111ecdfc29672319893192bb7fd

SHA1
4ec865fd387eade4cd0b0ad8cabd68cae89ac8d5

SHA256
ec8149d7c157e53108c089f07b8d2bf1156b8c1f8632c938a2130279927e2367

SHA512
0c9e75843ebe962246a0fd2d15e2b90ae71257aac15ee7b1cf12a3fc383a144fef5959c0a81c7d9f55ef6893937b1a9868a7c2546d70045c40810a7b3a0be804

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\00002#7

Filesize
1.5MB

MD5
536073c3748e4eb7bbee303547b7227d

SHA1
4397b1d855e799f4d38467a848cda2273c1c6c73

SHA256
8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3

SHA512
3b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Setup.txt

Filesize
2KB

MD5
ae90fca8c12f2c43c468fbd0954381f7

SHA1
d475bb8f5891ab5f4c7cd2c90847cbfa68758842

SHA256
d9f67a975a877aa95e76821542311adb21704988d8452916d5b51feeeff3e720

SHA512
6880c7b658b7852bfcd597a57fd6e85f8a218e18d7acc248edc8efb2bea5a61063c4eeb5ae48008cc07408501c1af0eefc6a9010820ba823ab3fe66dae1f9041

Download Submit
memory/816-161-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/816-162-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/816-140-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1536-152-0x0000000006A50000-0x0000000006A72000-memory.dmp

Filesize
136KB

Download
memory/1536-144-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/1536-149-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/1536-150-0x0000000007700000-0x0000000007796000-memory.dmp

Filesize
600KB

Download
memory/1536-151-0x0000000006A00000-0x0000000006A1A000-memory.dmp

Filesize
104KB

Download
memory/1536-147-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/1536-153-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/1536-148-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/1536-146-0x0000000005CB0000-0x0000000005CD2000-memory.dmp

Filesize
136KB

Download
memory/1536-145-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/1968-167-0x0000029E2D440000-0x0000029E2D450000-memory.dmp

Filesize
64KB

Download
memory/1968-168-0x0000029E2D540000-0x0000029E2D550000-memory.dmp

Filesize
64KB

Download
memory/4080-166-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/4080-164-0x0000000000F00000-0x0000000000FA6000-memory.dmp

Filesize
664KB

Download
memory/4080-169-0x0000000006DB0000-0x0000000006F72000-memory.dmp

Filesize
1.8MB

Download
memory/4080-170-0x0000000006C60000-0x0000000006CD6000-memory.dmp

Filesize
472KB

Download
memory/4080-171-0x00000000074B0000-0x00000000079DC000-memory.dmp

Filesize
5.2MB

Download
memory/4080-172-0x0000000007180000-0x000000000719E000-memory.dmp

Filesize
120KB

Download