e0c323c48aaec3bf5f1397d8929b8ae727f2dac20a48215e10b3b754a1995a15

General

Target

a2c15fc027723de315fadd0f7b16984e.exe
Size

233KB
MD5

a2c15fc027723de315fadd0f7b16984e
SHA1

921488fbc3a6f16acb20d2799336c34779a88dde
SHA256

e0c323c48aaec3bf5f1397d8929b8ae727f2dac20a48215e10b3b754a1995a15
SHA512

d8f0b4f5a69ec960c19cf5d5090973e86a08a28dad02b671bfd9f868fff6fa13a60973c422dfc719409b048b4046de5333b4a7b66dca0632169e91da49e04542
SSDEEP

3072:qqazJDkKwwRMlmvKCKra8OA/xR11d34rIpUdc6aGy/VXx1pJRFMczcXNvMs3:Y5txRMgpKrrf/xR11F4rldLShMczgOs3

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

468 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

876 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

tougyk.exetougyk.exe

pid process

2376 tougyk.exe
2780 tougyk.exe
Loads dropped DLL 2 IoCs

Processes:

a2c15fc027723de315fadd0f7b16984e.exe

pid process

2452 a2c15fc027723de315fadd0f7b16984e.exe
2452 a2c15fc027723de315fadd0f7b16984e.exe

pid	process
468	netsh.exe

pid	process
876	cmd.exe

pid	process
2376	tougyk.exe
2780	tougyk.exe

pid	process
2452	a2c15fc027723de315fadd0f7b16984e.exe
2452	a2c15fc027723de315fadd0f7b16984e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tougyk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0C9713E0-A813-5EA7-DBF4-795B22144381} = "C:\\Users\\Admin\\AppData\\Roaming\\Otuf\\tougyk.exe"	tougyk.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a2c15fc027723de315fadd0f7b16984e.exetougyk.exe

description	pid	process	target process
PID 2676 set thread context of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2376 set thread context of 2780	2376	tougyk.exe	tougyk.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

tougyk.exe

pid	process
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe
2780	tougyk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a2c15fc027723de315fadd0f7b16984e.exe

description pid process

Token: SeSecurityPrivilege 2452 a2c15fc027723de315fadd0f7b16984e.exe

description	pid	process
Token: SeSecurityPrivilege	2452	a2c15fc027723de315fadd0f7b16984e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2c15fc027723de315fadd0f7b16984e.exea2c15fc027723de315fadd0f7b16984e.execmd.exetougyk.exetougyk.exe

description	pid	process	target process
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2676 wrote to memory of 2452	2676	a2c15fc027723de315fadd0f7b16984e.exe	a2c15fc027723de315fadd0f7b16984e.exe
PID 2452 wrote to memory of 1876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 1876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 1876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 1876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 2376	2452	a2c15fc027723de315fadd0f7b16984e.exe	tougyk.exe
PID 2452 wrote to memory of 2376	2452	a2c15fc027723de315fadd0f7b16984e.exe	tougyk.exe
PID 2452 wrote to memory of 2376	2452	a2c15fc027723de315fadd0f7b16984e.exe	tougyk.exe
PID 2452 wrote to memory of 2376	2452	a2c15fc027723de315fadd0f7b16984e.exe	tougyk.exe
PID 1876 wrote to memory of 468	1876	cmd.exe	netsh.exe
PID 1876 wrote to memory of 468	1876	cmd.exe	netsh.exe
PID 1876 wrote to memory of 468	1876	cmd.exe	netsh.exe
PID 1876 wrote to memory of 468	1876	cmd.exe	netsh.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2376 wrote to memory of 2780	2376	tougyk.exe	tougyk.exe
PID 2452 wrote to memory of 876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2452 wrote to memory of 876	2452	a2c15fc027723de315fadd0f7b16984e.exe	cmd.exe
PID 2780 wrote to memory of 1224	2780	tougyk.exe	taskhost.exe
PID 2780 wrote to memory of 1224	2780	tougyk.exe	taskhost.exe
PID 2780 wrote to memory of 1224	2780	tougyk.exe	taskhost.exe
PID 2780 wrote to memory of 1224	2780	tougyk.exe	taskhost.exe
PID 2780 wrote to memory of 1224	2780	tougyk.exe	taskhost.exe
PID 2780 wrote to memory of 1308	2780	tougyk.exe	Dwm.exe
PID 2780 wrote to memory of 1308	2780	tougyk.exe	Dwm.exe
PID 2780 wrote to memory of 1308	2780	tougyk.exe	Dwm.exe
PID 2780 wrote to memory of 1308	2780	tougyk.exe	Dwm.exe
PID 2780 wrote to memory of 1308	2780	tougyk.exe	Dwm.exe
PID 2780 wrote to memory of 1368	2780	tougyk.exe	Explorer.EXE
PID 2780 wrote to memory of 1368	2780	tougyk.exe	Explorer.EXE
PID 2780 wrote to memory of 1368	2780	tougyk.exe	Explorer.EXE
PID 2780 wrote to memory of 1368	2780	tougyk.exe	Explorer.EXE
PID 2780 wrote to memory of 1368	2780	tougyk.exe	Explorer.EXE
PID 2780 wrote to memory of 3036	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 3036	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 3036	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 3036	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 3036	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 1636	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 1636	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 1636	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 1636	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 1636	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 928	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 928	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 928	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 928	2780	tougyk.exe	DllHost.exe
PID 2780 wrote to memory of 928	2780	tougyk.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\a2c15fc027723de315fadd0f7b16984e.exe
"C:\Users\Admin\AppData\Local\Temp\a2c15fc027723de315fadd0f7b16984e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\a2c15fc027723de315fadd0f7b16984e.exe
"C:\Users\Admin\AppData\Local\Temp\a2c15fc027723de315fadd0f7b16984e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaca6f17c.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Otuf\tougyk.exe"
4⤵
- Modifies Windows Firewall
PID:468

C:\Users\Admin\AppData\Roaming\Otuf\tougyk.exe
"C:\Users\Admin\AppData\Roaming\Otuf\tougyk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Roaming\Otuf\tougyk.exe
"C:\Users\Admin\AppData\Roaming\Otuf\tougyk.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp56c963c7.bat"
3⤵
- Deletes itself
PID:876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp56c963c7.bat
Filesize
243B

MD5
16c2ca31f5b527b8d5b9c85fce1b3951

SHA1
8856ee3438148fa2345bb202ee54297cfee1be41

SHA256
454c9b28ba708566c114e34e77a36b6f6fff61a882a2d404797b7be788077c61

SHA512
5a51af79d59d44b70b49bd1bb3fc4b9eacc2acfa769835b596b7ff719d5832a941097ff40df3d129219a7b8c055dde04acb59b0c9e268b9e72930d8a6d6f7356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaca6f17c.bat
Filesize
200B

MD5
ac327d11b5ef164e86d8ffdea7ded529

SHA1
1e9a947fdde29d4653760f4d675cfe48b14caac2

SHA256
e9c64ceda95edb89ed25bbb05c99f3d57605dd5c5b7246c411f07a9026095d17

SHA512
c5e37d736a7e20bb8fd04f67ec100e1b1fd75c84eeb9b1162bcc4fdd4d5b7db2596f221765a739d265f2757ec0c52168cfc0b33b293112961c8188b72df7f732

Download Submit
\Users\Admin\AppData\Roaming\Otuf\tougyk.exe
Filesize
233KB

MD5
1e6c7f5b2a422ea35324688cfe35b8b4

SHA1
30644272510443b4bd33eeff7cec95703bdb8d94

SHA256
7e60819612b2c0f73da443cfac7a6d0c85b52af3c5be6609d76de4974c4701b2

SHA512
353eee451cd0fecc58cdfc871975018948047cc482f2283ed120ef4b2e3c882bdd88702d55c5b6f1a58af06e15069c0d88016a566c3aa8e300410e777232462e

Download Submit
memory/1224-56-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/1224-57-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/1224-59-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/1224-58-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/1308-63-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1308-62-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1308-64-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1308-61-0x0000000001BA0000-0x0000000001BC7000-memory.dmp

Filesize
156KB

Download
memory/1368-66-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1368-68-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1368-69-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/1368-67-0x00000000025E0000-0x0000000002607000-memory.dmp

Filesize
156KB

Download
memory/2376-29-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2376-30-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2452-43-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2452-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2676-1-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2676-0-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2780-74-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-72-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-73-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-53-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2780-104-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3036-79-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/3036-80-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/3036-81-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/3036-78-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads