11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
Size

203KB
MD5

777f37e8cdc11ac1cd0c077641e3c408
SHA1

59b520ee80cf28cc30e8764e9f1fde919f31710e
SHA256

11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df
SHA512

f94b3dddbac3b5d2c75056de524dbd2a34276b7b590aeea5e57754d2a71061cd8224c9c6c80ae8cc7950d363307f1a1d6401a59ef7c7f7f2c7c0578b9532ac84
SSDEEP

3072:DE+COyprOTLLvfkgev+oHvE0bMzhHkFTeVxLsc7bZJMn0yDpDkvhxBh:DzQprOTLbkgONvZ4hHD3ZSkvV

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RKTT9f.exe

Downloads MZ/PE file
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe

Executes dropped EXE 1 IoCs

pid	Process
1736	RKTT9f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e0f-15.dat	upx
behavioral2/files/0x0006000000022e0f-22.dat	upx
behavioral2/files/0x0006000000022e0f-21.dat	upx
behavioral2/memory/1736-23-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/1736-64-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3224	5072	WerFault.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RKTT9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RKTT9f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1736	RKTT9f.exe
1736	RKTT9f.exe
1736	RKTT9f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1736	5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe	93
PID 5072 wrote to memory of 1736	5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe	93
PID 5072 wrote to memory of 1736	5072	11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe	93
PID 1736 wrote to memory of 2496	1736	RKTT9f.exe	98
PID 1736 wrote to memory of 2496	1736	RKTT9f.exe	98
PID 1736 wrote to memory of 2496	1736	RKTT9f.exe	98

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RKTT9f.exe

C:\Users\Admin\AppData\Local\Temp\11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe
"C:\Users\Admin\AppData\Local\Temp\11aa6ef17a79a77cfb8c1d10f25a99df4d289ca13a8f26fcf9c69e31a434a5df.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Public\Pictures\2VXQ6\RKTT9f.exe
  "C:\Users\Public\Pictures\2VXQ6\RKTT9f.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1308
  2⤵
  - Program crash
  PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5072 -ip 5072
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Public\Pictures\2VXQ6\Edge.jpg

Filesize
358KB

MD5
ae1014c8ae0102700ac2070f2531af71

SHA1
fc30226c23b4dc744bae2eb636dc4ca4a1060167

SHA256
326a8e50586d6aa1d1d9eee81f79fdea188cc84aa1f55f6d05d3cbcb166ab1f2

SHA512
78f845aa9d2a29c0a98fbf77e720927dccb34d358c9a06798d848ac16b95cd33623c28323b349f28b7775c885f0954fb845e27ed22613e9333ff47d1b29cdad5

Download Submit
C:\Users\Public\Pictures\2VXQ6\RKTT9f.dat

Filesize
132KB

MD5
f151321f3a64aac61ba983db54ce111e

SHA1
e38c95df97949109f35354d536e3cfc0d3d13b27

SHA256
73de2f6702ddd97f0cf0445b93eaff0aad7c769eeb55206f28bebf94ba1fcabf

SHA512
ba73b7ecac270b87d27a61d2d2a68adf2796a27343fffadb2883b2922fd89caf731d8f153167aae232b9523f407f8708fb3a15f9135f925678034b0472bbccbe

Download Submit
C:\Users\Public\Pictures\2VXQ6\RKTT9f.exe

Filesize
525KB

MD5
c78f2ec1cc251190d296e85f19e5f9fb

SHA1
2b7a7ed27e34552dc38996b302f72b603279e8b2

SHA256
d3a1831478c92975f2ec6204a4dd318b225be4bb9a411e0e4df5a36f1532f3d0

SHA512
fb8bade41fd41b45026e91ecc37b17306f5e7bbe9f02f3528b58398fbc3f183283bcaed74de5ab2fcf61ff2ca787f0416b2ca55d9fa296f2527cc95168496995

Download Submit
C:\Users\Public\Pictures\2VXQ6\RKTT9f.exe

Filesize
525KB

MD5
c78f2ec1cc251190d296e85f19e5f9fb

SHA1
2b7a7ed27e34552dc38996b302f72b603279e8b2

SHA256
d3a1831478c92975f2ec6204a4dd318b225be4bb9a411e0e4df5a36f1532f3d0

SHA512
fb8bade41fd41b45026e91ecc37b17306f5e7bbe9f02f3528b58398fbc3f183283bcaed74de5ab2fcf61ff2ca787f0416b2ca55d9fa296f2527cc95168496995

Download Submit
C:\Users\Public\Pictures\2VXQ6\RKTT9f.exe

Filesize
525KB

MD5
c78f2ec1cc251190d296e85f19e5f9fb

SHA1
2b7a7ed27e34552dc38996b302f72b603279e8b2

SHA256
d3a1831478c92975f2ec6204a4dd318b225be4bb9a411e0e4df5a36f1532f3d0

SHA512
fb8bade41fd41b45026e91ecc37b17306f5e7bbe9f02f3528b58398fbc3f183283bcaed74de5ab2fcf61ff2ca787f0416b2ca55d9fa296f2527cc95168496995

Download Submit
C:\Users\Public\Pictures\2VXQ6\edge.xml

Filesize
78KB

MD5
c47e753f6ef9fce9d8b34ff107cfe478

SHA1
8890b4477a434bb0c17cfda7c759bbde53de0456

SHA256
c9ad54f4ea0cef407b6899cce145a24fe92930f56bdf26b1f7fe36231e419a59

SHA512
9d9500fe8cc6c7b3c2c6dadefaa5304e5aa2209b7767e4548101c99f1bf091bcb31ca9ecbadc6be8bf958d6ec7fe36fabddb34b9e48d46bac2a1c87d99d16f57

Download Submit
memory/1736-23-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1736-45-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/1736-47-0x00000000037C0000-0x00000000037D7000-memory.dmp

Filesize
92KB

Download
memory/1736-50-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/1736-64-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1736-66-0x00000000037C0000-0x00000000037D7000-memory.dmp

Filesize
92KB

Download
memory/5072-1-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download