33bdce66ac6ad180de0efd8c3bd99d487dea4603f0928244c2e19f21341a29f2

General

Target

rusik na kuhne.exe
Size

564KB
MD5

f44445aeb63e81045e17563a55e76f13
SHA1

7b5b8cba606b2d28236ae6801ca0e1be4b391455
SHA256

938cf550c7f4f125804d8a1d7bf9ea9ad72facedae6a01e776bff846f948e6dc
SHA512

3bde94299b855b57faaa2d1bb9e88ce693bbdf7a00d1849e45806e28c2d85afaa67e39f3ca774ab2993d7bc488904233745cf01321af26225c68da2e25d62b50
SSDEEP

12288:6pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqss3MMq:6pUNr6YkVRFkgbeqeo68FhqxMM

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xqrmcmuvhab.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	xqrmcmuvhab.exe

Loads dropped DLL 2 IoCs

pid	Process
944	rusik na kuhne.exe
944	rusik na kuhne.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xqrmcmuvhab.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xqrmcmuvhab.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyipaddress.com
9	whatismyip.everdot.org
12	www.showmyipaddress.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
944	rusik na kuhne.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2172	944	rusik na kuhne.exe	25
PID 944 wrote to memory of 2172	944	rusik na kuhne.exe	25
PID 944 wrote to memory of 2172	944	rusik na kuhne.exe	25
PID 944 wrote to memory of 2172	944	rusik na kuhne.exe	25

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xqrmcmuvhab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xqrmcmuvhab.exe

C:\Users\Admin\AppData\Local\Temp\rusik na kuhne.exe
"C:\Users\Admin\AppData\Local\Temp\rusik na kuhne.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
  "C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\rusik na kuhne.exe*"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System policy modification
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\ouadfn.exe
    "C:\Users\Admin\AppData\Local\Temp\ouadfn.exe" "-C:\Users\Admin\AppData\Local\Temp\aqgtfxqjzigekkfu.exe"
    3⤵
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\ouadfn.exe
    "C:\Users\Admin\AppData\Local\Temp\ouadfn.exe" "-C:\Users\Admin\AppData\Local\Temp\aqgtfxqjzigekkfu.exe"
    3⤵
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
  "C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\rusik na kuhne.exe"
  2⤵
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

Filesize
139KB

MD5
3005f371e00fc94280c5f6ebdb0d8c5f

SHA1
1d0e7e04b8c4e5b389b551c6f8dc88775ea8764f

SHA256
be8163763b92bb6d07d33180e452d00195919840ebaabf243d96e0783e411b03

SHA512
1fe9bd8d27bd46b1d08dcee22fc9fa5f8c0093c865b1b92947c1798ba039c7471ebe89def2005119be9c9772a78475158132510323974b9483bba83d9f37f1c2

Download Submit
C:\Users\Admin\AppData\Local\nqttsxdjmitexksuunpsvvuzf.okv

Filesize
280B

MD5
6311b2c2715e365ea21a3fac9d1416fb

SHA1
8a52992c4ebc94ab3c5f53707568ebb8979bb6b2

SHA256
efd94c250ecbe4dbdc2a434a893450eabfb90ff0fa35104f34ca4cac1311776c

SHA512
b4715b7eb368fd961be6a0f13e2d9566344f39aa9a25b368a791fb6b66a0e5aedda7723a99fca99288ef335f8d411ebd253386078c77603ec4b4e31fcf725080

Download Submit
C:\Windows\bundsnjfyklmvywoenf.exe

Filesize
85KB

MD5
3dc4db9e80f3bc3a17768f1ed549b433

SHA1
3709175e016f9566ba996c5359253319f3ebc790

SHA256
156f86a2967935cb64c18255c98d145a0466b31ff75b8fea0b76dc1f97e943ce

SHA512
4638f63e2b2293b1cd2225b54a71288fbc9c476d40b007ec53af8e917b7f45b4f6561a35cf16d13f31a559879c4a215d197d804fda59657a90764c27b8bb8d85

Download Submit
C:\Windows\hypdqjdxoyxwdeaqe.exe

Filesize
375KB

MD5
f6fe8aca43ea998bc6fe3facd5b0ac09

SHA1
a3cad09e9ac8af075da4ccd1a80d5deeffffa524

SHA256
da2c1ed9408c8eb445bbdfb64e68f3b61af7a01ae98f537c22f0702c01f7e161

SHA512
58b2e60de741e886f90a504fc9c5b00de008050d24f84c949fd3c766e2a47f5864099ca5341dccbcea32d8e685ab1709e65795241768733e0aeb1ab3748fa15d

Download Submit
\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

Filesize
320KB

MD5
c4a958e22d338007beecedffeb5ff421

SHA1
927fcb6d0c14416839f00889191c42d8e7eb1a50

SHA256
11b14cdcdf9946aeac72ea871f0d5eac805a5cdd53dd490a013536934e46fadf

SHA512
a98852c16db9c4d7b33517e1b2165bfe678f17464688b40e18a8dccd6fb919372fbb14d541922a8532e1110ab0d62fbe5377935ba61ccc1d9dfe818b4e372b7a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads