e8aed0c136cdb9bc4e945af74612a6acfe7f40345746f0ab30ade612a6d2c935

General

Target

0a7a9a7f98f1c04893b5225fada2f1c2.exe
Size

1.2MB
MD5

0a7a9a7f98f1c04893b5225fada2f1c2
SHA1

7a2efc197f2d6dadb60621174fb0c4a5085b8c41
SHA256

e8aed0c136cdb9bc4e945af74612a6acfe7f40345746f0ab30ade612a6d2c935
SHA512

c614909d57492f27dd3b0e1142755220487914b144da00bb28405f5cb20c452179d4a1b025a6df541c54c24cbcca3e46089458ac179e940d8998bd5369018c7b
SSDEEP

3072:aWGy5OYg60KG+LVowg/e3QT10CF0L+LW1HRDHXJxEHMjx8c7n5diH5n4UJYjaVq:Fp8I6rMMD/0J0Sh3p

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	0a7a9a7f98f1c04893b5225fada2f1c2.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	schostd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCOSTD = "C:\\Users\\Admin\\updaterd\\schostd.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe
1948	schostd.exe
1948	schostd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2156	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	91
PID 1304 wrote to memory of 2156	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	91
PID 1304 wrote to memory of 2156	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	91
PID 2156 wrote to memory of 3596	2156	cmd.exe	94
PID 2156 wrote to memory of 3596	2156	cmd.exe	94
PID 2156 wrote to memory of 3596	2156	cmd.exe	94
PID 2156 wrote to memory of 2544	2156	cmd.exe	95
PID 2156 wrote to memory of 2544	2156	cmd.exe	95
PID 2156 wrote to memory of 2544	2156	cmd.exe	95
PID 1304 wrote to memory of 244	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	96
PID 1304 wrote to memory of 244	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	96
PID 1304 wrote to memory of 244	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	96
PID 244 wrote to memory of 2496	244	cmd.exe	98
PID 244 wrote to memory of 2496	244	cmd.exe	98
PID 244 wrote to memory of 2496	244	cmd.exe	98
PID 1304 wrote to memory of 1948	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	100
PID 1304 wrote to memory of 1948	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	100
PID 1304 wrote to memory of 1948	1304	0a7a9a7f98f1c04893b5225fada2f1c2.exe	100

C:\Users\Admin\AppData\Local\Temp\0a7a9a7f98f1c04893b5225fada2f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\0a7a9a7f98f1c04893b5225fada2f1c2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMHZYF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\reg.exe
    REG ADD
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQuAP.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SVCOSTD" /t REG_SZ /d "C:\Users\Admin\updaterd\schostd.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2496
- C:\Users\Admin\updaterd\schostd.exe
  "C:\Users\Admin\updaterd\schostd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AMHZYF.bat

Filesize
161B

MD5
7a206e7118c90ba805346aee84b41e91

SHA1
2edcf2ee1cc7d6838486612f38a40ee2aae31dd1

SHA256
1c4bc5d8cdb67d898bdabca4d0489fe7b6b47409899a9113a1db81daf95e8a33

SHA512
64024585e71b97c88f5fe81d520b61e7d919d257b647503e611cb3d887aede222b77fb523269b12308c46a45abf1eb9780147dd51e270b6a90a036a3bb37ff30

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQuAP.bat

Filesize
127B

MD5
e3e411c61d1954c9dbcb1dcddd6e0576

SHA1
88db4956fb95b92056e8542cbbb9a9ce112090df

SHA256
b1a3d8ae0f4dd01c1647b37f23bcdd9bac036224995472e97683fe2aa76dd625

SHA512
4eecf9709a10c2e1a6906d5c95e268c3a1cf36e623cde9c0eb9e97d8abc8e5561b857be927b7bce14be9def8c2ca77b2871bb289050b4bbf1946046f1636adcc

Download Submit
C:\Users\Admin\updaterd\schostd.exe

Filesize
1.2MB

MD5
0a7a9a7f98f1c04893b5225fada2f1c2

SHA1
7a2efc197f2d6dadb60621174fb0c4a5085b8c41

SHA256
e8aed0c136cdb9bc4e945af74612a6acfe7f40345746f0ab30ade612a6d2c935

SHA512
c614909d57492f27dd3b0e1142755220487914b144da00bb28405f5cb20c452179d4a1b025a6df541c54c24cbcca3e46089458ac179e940d8998bd5369018c7b

Download Submit
C:\Users\Admin\updaterd\schostd.exe

Filesize
624KB

MD5
08c7c765c1cae23df01bfd006d94aa81

SHA1
1cda311013b6e32cc6609d61be65d836a4088837

SHA256
8c43015ce62700d03703e17f8841fbf6e61c9e728c8e7759e9f25daf9a0fdb53

SHA512
3a431fc948cab24907584f187d34592c5d9077d0a80de9ddedfe7a3844c0699cdae66b12300b0608519837ae3d3c6d2ea804c84faa2f0b183931e57ad64ff53d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads