e03a5fca15621bbb472355fa10771e72cd23c33021c5837aa05646329b3b59e1

General

Target

be5f9409745c8c3853f3c320a1327960_exe32.exe
Size

210KB
MD5

be5f9409745c8c3853f3c320a1327960
SHA1

5e7269ed49c573dc4b8f3ce637c06dea9d2fff19
SHA256

e03a5fca15621bbb472355fa10771e72cd23c33021c5837aa05646329b3b59e1
SHA512

cd7e4495322b7ace19150355302828a1f9fcba7cc9af561a25fc0244a715ab2d3cdfdd9da0e0304a40175736d12930f14ab791439293473534e8b66534eecee5
SSDEEP

3072:/plLir2bgbHfeEMlUVZ/VGS7rN+kout8GXoYloDkldTGAJOcpQzzQQzUMdc:/pW2bgbbV28okoS1oWMkdlZQ5wQc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe BATCF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe VBSSF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe HTMWF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe NTPAD %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe CMDSF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe JPGIF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe JPGIF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe RTFDF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe JPGIF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe BATCF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe JPGIF %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe NTPAD %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe NTPAD %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\be5f9409745c8c3853f3c320a1327960_exe32.exe NTPAD %1"	be5f9409745c8c3853f3c320a1327960_exe32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2576	reg.exe
2992	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2576	2212	be5f9409745c8c3853f3c320a1327960_exe32.exe	28
PID 2212 wrote to memory of 2576	2212	be5f9409745c8c3853f3c320a1327960_exe32.exe	28
PID 2212 wrote to memory of 2576	2212	be5f9409745c8c3853f3c320a1327960_exe32.exe	28
PID 2212 wrote to memory of 2992	2212	be5f9409745c8c3853f3c320a1327960_exe32.exe	31
PID 2212 wrote to memory of 2992	2212	be5f9409745c8c3853f3c320a1327960_exe32.exe	31
PID 2212 wrote to memory of 2992	2212	be5f9409745c8c3853f3c320a1327960_exe32.exe	31

C:\Users\Admin\AppData\Local\Temp\be5f9409745c8c3853f3c320a1327960_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\be5f9409745c8c3853f3c320a1327960_exe32.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2576
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EIRk4qtd.exe

Filesize
210KB

MD5
ffa44b17f459017db27a02adbff2b02e

SHA1
b17fe0e5cfc18b3c63e7d0af2e370f7fadb0ca48

SHA256
36d6a62e17f3fe1c8f008bfad2554b51fcc28b764a12e67d788a179ba77cf700

SHA512
7f89f46d126c7c99f8be635a25d89d56b212117f70e7e87c0fb865bf79b868e027ce2f080be4bc3c8662e798bde353275387653192240060cb93aaa76262040e

Download Submit
memory/2212-0-0x0000000000B40000-0x0000000000B68000-memory.dmp

Filesize
160KB

Download
memory/2212-1-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-2-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2212-841-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-939-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads