24d8b33ffceaa0cee17a6258d39be1317672fc481c889822cf38963e3eb488c2

General

Target

decryp.exe
Size

18KB
MD5

0bddede8897d9d810f34d4eab1f6f07a
SHA1

b0b74c8a73699f93915154826ba8cfebe92c1dd4
SHA256

24d8b33ffceaa0cee17a6258d39be1317672fc481c889822cf38963e3eb488c2
SHA512

ae2e6cd9495b54c6fc9c4c27ece37bf0719bf42bd9c5bba4a29782f50d127d6a32461a405d9014b311e9de51d0ffc7c6001f9dbcdbbde94a92a2c51e661fe1fa
SSDEEP

384:3G1LKciD3h+fRSsBS9UpM8WefjHYc0wu:3G1LK1/sBS978/fTYc0wu

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 5 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

2756 netsh.exe
2260 netsh.exe
2548 netsh.exe
2716 netsh.exe
2672 netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2568 reg.exe
1844 reg.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2516 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2516 powershell.exe

pid	process
2756	netsh.exe
2260	netsh.exe
2548	netsh.exe
2716	netsh.exe
2672	netsh.exe

pid	process
2568	reg.exe
1844	reg.exe

pid	process
2516	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

decryp.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 1328	3048	decryp.exe	cmd.exe
PID 3048 wrote to memory of 1328	3048	decryp.exe	cmd.exe
PID 3048 wrote to memory of 1328	3048	decryp.exe	cmd.exe
PID 1328 wrote to memory of 2716	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2716	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2716	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2672	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2672	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2672	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2756	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2756	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2756	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2260	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2260	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2260	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2548	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2548	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2548	1328	cmd.exe	netsh.exe
PID 1328 wrote to memory of 2660	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2660	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2660	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2568	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2568	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2568	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2752	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2752	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2752	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 1844	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 1844	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 1844	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 2516	1328	cmd.exe	powershell.exe
PID 1328 wrote to memory of 2516	1328	cmd.exe	powershell.exe
PID 1328 wrote to memory of 2516	1328	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\decryp.exe
"C:\Users\Admin\AppData\Local\Temp\decryp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state on
3⤵
- Modifies Windows Firewall
PID:2716

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state on
3⤵
- Modifies Windows Firewall
PID:2672

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state on
3⤵
- Modifies Windows Firewall
PID:2756

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state on
3⤵
- Modifies Windows Firewall
PID:2260

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state on
3⤵
- Modifies Windows Firewall
PID:2548

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
3⤵
PID:2660

C:\Windows\system32\reg.exe
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
3⤵
- Modifies registry key
PID:2568

C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
3⤵
PID:2752

C:\Windows\system32\reg.exe
REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
3⤵
- Modifies registry key
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-8-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2516-7-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-10-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2516-9-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-11-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-12-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-13-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-14-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-0-0x0000000001210000-0x000000000121A000-memory.dmp

Filesize
40KB

Download
memory/3048-1-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-2-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing