b644b71318ac3f1a5c01249c65bcc490ef7cffe13925c1e8e200eecd91df6c9c

Analysis

max time kernel
0s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78db881af6d41d8ce120db6dfe104f24.exe
Size

2.4MB
MD5

78db881af6d41d8ce120db6dfe104f24
SHA1

1519b9fcc1f17b90a88acbfc089b5d2f76f21bad
SHA256

b644b71318ac3f1a5c01249c65bcc490ef7cffe13925c1e8e200eecd91df6c9c
SHA512

ea19d704961651c5fdac730f47b1470a9816dad13d9a3b67c6116eb6a778d8823a479d930676105172cea9fe235dd45f9993e12a228b984a43b5299a18866f58
SSDEEP

49152:d7K+TDiZtK4JnUTTbd7xnXTPTntYmzZfv+3nmRVHdA0IyDmAHA5Z4/:deLtKzRpX/tzVc0bIyawA5Z4/

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
548	netsh.exe
3864	netsh.exe
3300	netsh.exe
4820	netsh.exe
1888	netsh.exe
1812	netsh.exe
844	netsh.exe
3180	netsh.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
116	attrib.exe
4268	attrib.exe
1780	attrib.exe
4544	attrib.exe
4316	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

78db881af6d41d8ce120db6dfe104f24.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	78db881af6d41d8ce120db6dfe104f24.exe

Drops file in Program Files directory 1 IoCs

Processes:

78db881af6d41d8ce120db6dfe104f24.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\setup.exe	78db881af6d41d8ce120db6dfe104f24.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
1012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
264	taskkill.exe
4356	taskkill.exe
3224	taskkill.exe
4392	taskkill.exe
5040	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
3888	reg.exe
3248	reg.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
1860	regedit.exe

Runs net.exe

Views/modifies file attributes 1 TTPs 16 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
3956	attrib.exe
116	attrib.exe
4268	attrib.exe
1872	attrib.exe
840	attrib.exe
5072	attrib.exe
2188	attrib.exe
4316	attrib.exe
4940	attrib.exe
4824	attrib.exe
3584	attrib.exe
1780	attrib.exe
4992	attrib.exe
4544	attrib.exe
904	attrib.exe
1248	attrib.exe

C:\Users\Admin\AppData\Local\Temp\78db881af6d41d8ce120db6dfe104f24.exe
"C:\Users\Admin\AppData\Local\Temp\78db881af6d41d8ce120db6dfe104f24.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
PID:5052
- C:\Program Files (x86)\Company\NewProduct\setup.exe
  "C:\Program Files (x86)\Company\NewProduct\setup.exe"
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      4⤵
      PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
    3⤵
    PID:4484

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im RManServer.exe
1⤵
- Kills process with taskkill
PID:264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
1⤵
- Kills process with taskkill
PID:4356

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:116

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rserver3
1⤵
PID:2444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rserver3.exe
1⤵
- Kills process with taskkill
PID:3224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im r_server.exe
1⤵
- Kills process with taskkill
PID:4392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cam_server.exe
1⤵
- Kills process with taskkill
PID:5040

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\SysWOW64\rserver30"
1⤵
- Views/modifies file attributes
PID:4940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Telnet
1⤵
PID:1988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Service Host Controller"
1⤵
PID:4768

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn security /f
1⤵
PID:1408

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="RealIP"
1⤵
- Modifies Windows Firewall
PID:1812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user HelpAssistant /delete
1⤵
PID:4896

C:\Windows\SysWOW64\net.exe
net user HelpAssistant /delete
1⤵
PID:2096

C:\Windows\SysWOW64\net.exe
net stop "Service Host Controller"
1⤵
PID:3192

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start= disabled
1⤵
- Launches sc.exe
PID:1012

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
1⤵
- Modifies Windows Firewall
PID:844

C:\Windows\SysWOW64\net.exe
net stop Telnet
1⤵
PID:1156

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"
1⤵
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="Service Host Controller"
1⤵
- Modifies Windows Firewall
PID:3180

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\system32\r_server.exe"
1⤵
- Views/modifies file attributes
PID:4824

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\system32\rserver30"
1⤵
- Views/modifies file attributes
PID:3584

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
1⤵
- Modifies Windows Firewall
PID:548

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"
1⤵
- Views/modifies file attributes
PID:840

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\system32\cam_server.exe"
1⤵
- Views/modifies file attributes
PID:3956

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
1⤵
- Modifies Windows Firewall
PID:3864

C:\Windows\SysWOW64\net.exe
net stop rserver3
1⤵
PID:1860

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete portopening tcp 57009
1⤵
- Modifies Windows Firewall
PID:3300

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1780

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="cam_server"
1⤵
- Modifies Windows Firewall
PID:4820

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4544

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete portopening tcp 57011 all
1⤵
- Modifies Windows Firewall
PID:1888

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαáµ¿«¡¡á∩ ß¿ßΓÑ¼á Microsoft Windows" /f
1⤵
- Modifies registry key
PID:3888

C:\Windows\SysWOW64\regedit.exe
regedit /s set.reg
1⤵
- Runs .reg file with regedit
PID:1860

C:\Windows\SysWOW64\catroot3\rutserv.exe
"rutserv.exe" /start
1⤵
PID:2936

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Views/modifies file attributes
PID:904

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\stop.js"
1⤵
- Views/modifies file attributes
PID:5072

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
1⤵
- Views/modifies file attributes
PID:2188

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"
1⤵
- Views/modifies file attributes
PID:1248

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
1⤵
- Views/modifies file attributes
PID:4992

C:\Windows\SysWOW64\catroot3\rfusclient.exe
C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
1⤵
PID:3292

C:\Windows\SysWOW64\catroot3\rfusclient.exe
C:\Windows\SysWOW64\catroot3\rfusclient.exe
1⤵
PID:3584
- C:\Windows\SysWOW64\catroot3\rfusclient.exe
  C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
  2⤵
  PID:4120

C:\Windows\SysWOW64\catroot3\rutserv.exe
C:\Windows\SysWOW64\catroot3\rutserv.exe
1⤵
PID:4384

C:\Windows\SysWOW64\catroot3\rutserv.exe
"rutserv.exe" /firewall
1⤵
PID:4912

C:\Windows\SysWOW64\catroot3\rutserv.exe
"rutserv.exe" /silentinstall
1⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
1⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
1⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
1⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
1⤵
- Modifies registry key
PID:3248

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\System32\catroot3"
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4316

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\setup.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/532-114-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/532-111-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/532-115-0x0000000000D70000-0x0000000000DC8000-memory.dmp

Filesize
352KB

Download
memory/532-110-0x0000000000D70000-0x0000000000DC8000-memory.dmp

Filesize
352KB

Download
memory/2936-128-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2936-151-0x0000000000880000-0x00000000008D8000-memory.dmp

Filesize
352KB

Download
memory/2936-150-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2936-127-0x0000000000880000-0x00000000008D8000-memory.dmp

Filesize
352KB

Download
memory/3292-152-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3292-169-0x00000000008A0000-0x00000000008F8000-memory.dmp

Filesize
352KB

Download
memory/3292-147-0x00000000008A0000-0x00000000008F8000-memory.dmp

Filesize
352KB

Download
memory/3292-168-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/3292-177-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3292-175-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/3292-195-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/3584-149-0x00000000008B0000-0x0000000000908000-memory.dmp

Filesize
352KB

Download
memory/3584-153-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3584-178-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3584-166-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/3584-167-0x00000000008B0000-0x0000000000908000-memory.dmp

Filesize
352KB

Download
memory/4120-162-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/4120-163-0x0000000000C10000-0x0000000000C68000-memory.dmp

Filesize
352KB

Download
memory/4120-161-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/4120-160-0x0000000000C10000-0x0000000000C68000-memory.dmp

Filesize
352KB

Download
memory/4384-170-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/4384-132-0x0000000000950000-0x00000000009A8000-memory.dmp

Filesize
352KB

Download
memory/4384-164-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/4384-133-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/4384-165-0x0000000000950000-0x00000000009A8000-memory.dmp

Filesize
352KB

Download
memory/4384-171-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/4384-180-0x0000000000950000-0x00000000009A8000-memory.dmp

Filesize
352KB

Download
memory/4384-179-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/4912-121-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/4912-120-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/4912-119-0x0000000000C80000-0x0000000000CD8000-memory.dmp

Filesize
352KB

Download
memory/4912-122-0x0000000000C80000-0x0000000000CD8000-memory.dmp

Filesize
352KB

Download
memory/5052-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download