77708139f01b4743b67b477e08cd71477d88fbf7c97f9ef637aebfba9cc70d05

General

Target

966a691b3369a8b09dfa46eaa0dcfc5f.exe
Size

216KB
MD5

966a691b3369a8b09dfa46eaa0dcfc5f
SHA1

49a05cf0a646ae3b831466e2c239a0fdf5bb2e47
SHA256

77708139f01b4743b67b477e08cd71477d88fbf7c97f9ef637aebfba9cc70d05
SHA512

d73ebb7edae9c205ef2b447f49110f94ad25a54915a86d1d6c03e87f3b5085ca9354dca9dc87e9b271f8c7704342115a3d6544b23c3e76a2e09ab85715608e44
SSDEEP

6144:m7yT0s131e1LyYpCmuL1HR3dnZ+WiaD0gzO/o:xAst1e9pCmuZHN+WiaD0gzO

Score

8^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1912	netsh.exe
212	netsh.exe
4480	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\966a691b3369a8b09dfa46eaa0dcfc5f.exe	966a691b3369a8b09dfa46eaa0dcfc5f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\966a691b3369a8b09dfa46eaa0dcfc5f.exe	966a691b3369a8b09dfa46eaa0dcfc5f.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	966a691b3369a8b09dfa46eaa0dcfc5f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	966a691b3369a8b09dfa46eaa0dcfc5f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5084	966a691b3369a8b09dfa46eaa0dcfc5f.exe
4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4344	5084	966a691b3369a8b09dfa46eaa0dcfc5f.exe	84
PID 5084 wrote to memory of 4344	5084	966a691b3369a8b09dfa46eaa0dcfc5f.exe	84
PID 5084 wrote to memory of 4344	5084	966a691b3369a8b09dfa46eaa0dcfc5f.exe	84
PID 4344 wrote to memory of 1012	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	85
PID 4344 wrote to memory of 1012	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	85
PID 4344 wrote to memory of 1012	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	85
PID 1012 wrote to memory of 1912	1012	cmd.exe	87
PID 1012 wrote to memory of 1912	1012	cmd.exe	87
PID 1012 wrote to memory of 1912	1012	cmd.exe	87
PID 4344 wrote to memory of 3792	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	88
PID 4344 wrote to memory of 3792	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	88
PID 4344 wrote to memory of 3792	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	88
PID 3792 wrote to memory of 212	3792	cmd.exe	90
PID 3792 wrote to memory of 212	3792	cmd.exe	90
PID 3792 wrote to memory of 212	3792	cmd.exe	90
PID 4344 wrote to memory of 3636	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	99
PID 4344 wrote to memory of 3636	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	99
PID 4344 wrote to memory of 3636	4344	966a691b3369a8b09dfa46eaa0dcfc5f.exe	99
PID 3636 wrote to memory of 4480	3636	cmd.exe	101
PID 3636 wrote to memory of 4480	3636	cmd.exe	101
PID 3636 wrote to memory of 4480	3636	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\966a691b3369a8b09dfa46eaa0dcfc5f.exe
"C:\Users\Admin\AppData\Local\Temp\966a691b3369a8b09dfa46eaa0dcfc5f.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\jiii\966a691b3369a8b09dfa46eaa0dcfc5f.exe
  "C:\Users\Admin\AppData\Local\Temp\jiii\966a691b3369a8b09dfa46eaa0dcfc5f.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiii\dsqnfnl.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\jiii\966a691b3369a8b09dfa46eaa0dcfc5f.exe" profile=All
      4⤵
      Modifies Windows Firewall
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiii\pcimqubb.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\netsh.exe
      netsh.exe firewall add allowedprogram PROGRAM="C:\Users\Admin\AppData\Local\Temp\jiii\966a691b3369a8b09dfa46eaa0dcfc5f.exe" NAME="lvideo" MODE=ENABLE PROFILE=ALL
      4⤵
      Modifies Windows Firewall
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiii\svoscfevuu.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\jiii\966a691b3369a8b09dfa46eaa0dcfc5f.exe" profile=All
      4⤵
      Modifies Windows Firewall
      PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jiii\966a691b3369a8b09dfa46eaa0dcfc5f.exe

Filesize
216KB

MD5
966a691b3369a8b09dfa46eaa0dcfc5f

SHA1
49a05cf0a646ae3b831466e2c239a0fdf5bb2e47

SHA256
77708139f01b4743b67b477e08cd71477d88fbf7c97f9ef637aebfba9cc70d05

SHA512
d73ebb7edae9c205ef2b447f49110f94ad25a54915a86d1d6c03e87f3b5085ca9354dca9dc87e9b271f8c7704342115a3d6544b23c3e76a2e09ab85715608e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiii\dsqnfnl.bat

Filesize
198B

MD5
e9c4cc6cf3747cb61eb572e84bb8ec3a

SHA1
2739079fd0c2b2f49c4c68fb40e822e34d1810fc

SHA256
dd9c550fde09240d68da30255a6b7b5ae2e138ef17333d79739b835a9eb61e43

SHA512
f16f686bebcc7d4b2fd91a4089c3cb2a1631425b06ab7f07e36b2758d3fdec62be36e2e6da2d929fd2925e5c5d3a6928e0d8488c0f7f77f701b76c6fd2fd49be

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiii\pcimqubb.bat

Filesize
226B

MD5
336bb0fa02b67998fe4584934b98a233

SHA1
3f391fa0ce6db4a167a95def7758c18f695453d8

SHA256
b67ef48768fb80fe24f47426fbf9e342af6bf4c8c020ff74aa10a815c6cc4c9b

SHA512
c60a42a5b5d47f80301a617b89871b19d0a77af1cffa9ddb848b9f7b1147e5ef126cc3f305a31f5b384df1218b5635eb464dc5c70e46528eed78cf89fa085f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiii\svoscfevuu.bat

Filesize
201B

MD5
cc4c3093ba22a493b3489cd5c67a2f39

SHA1
908a23d7a43e59f03c2ae9125ab27f81afb69fb8

SHA256
b904571278ff1eadb4e0277c2a1a5a828a48785624140b3205fffb8ab7f3062f

SHA512
77d6f427c73b5695218e5217eeec3a4164ccbe843acb85377d318298d9e1d7090ed2ddbdd7da23f8aba0f3f5ef470524efb730dd5d08995e69df9cb697000189

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads