c61409a910ee60ac110a326e4fee3a8609f50d4e072e760ea66c15a1584de855

General

Target

a72f659fd970d503ac88a81066e58c25.exe
Size

281KB
MD5

a72f659fd970d503ac88a81066e58c25
SHA1

42b015e9fc6f444afe513245a348568366b02c46
SHA256

c61409a910ee60ac110a326e4fee3a8609f50d4e072e760ea66c15a1584de855
SHA512

a2500f1d439753e9e53d2bca24ab608915eb75126e31247ae4858e7b62878335cacef8ea4c8c21c38213fdffb5c7b61987391393e90e9e96c0cb55a613fc2d75
SSDEEP

6144:Ib9kSqoncIHgp44tKAkG0nyaSDVR2r7flZNgpmPuIft6nv79/Ji:AhqoLb4tKAcRSDVRKjlZNgAue

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2492 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

locoto.exelocoto.exe

pid process

2592 locoto.exe
2656 locoto.exe
Loads dropped DLL 3 IoCs

Processes:

a72f659fd970d503ac88a81066e58c25.exelocoto.exe

pid process

1852 a72f659fd970d503ac88a81066e58c25.exe
1852 a72f659fd970d503ac88a81066e58c25.exe
2592 locoto.exe

pid	process
2492	netsh.exe

pid	process
1708	cmd.exe

pid	process
2592	locoto.exe
2656	locoto.exe

pid	process
1852	a72f659fd970d503ac88a81066e58c25.exe
1852	a72f659fd970d503ac88a81066e58c25.exe
2592	locoto.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

locoto.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EDFA00E0-A83F-5EA7-1A8B-324DD5F20897} = "C:\\Users\\Admin\\AppData\\Roaming\\Uma\\locoto.exe"	locoto.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a72f659fd970d503ac88a81066e58c25.exelocoto.exe

description	pid	process	target process
PID 1948 set thread context of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 2592 set thread context of 2656	2592	locoto.exe	locoto.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

locoto.exe

pid	process
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe
2656	locoto.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a72f659fd970d503ac88a81066e58c25.exe

description pid process

Token: SeSecurityPrivilege 1852 a72f659fd970d503ac88a81066e58c25.exe

description	pid	process
Token: SeSecurityPrivilege	1852	a72f659fd970d503ac88a81066e58c25.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a72f659fd970d503ac88a81066e58c25.exea72f659fd970d503ac88a81066e58c25.execmd.exelocoto.exelocoto.exe

description	pid	process	target process
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1948 wrote to memory of 1852	1948	a72f659fd970d503ac88a81066e58c25.exe	a72f659fd970d503ac88a81066e58c25.exe
PID 1852 wrote to memory of 2488	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 2488	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 2488	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 2488	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 2592	1852	a72f659fd970d503ac88a81066e58c25.exe	locoto.exe
PID 1852 wrote to memory of 2592	1852	a72f659fd970d503ac88a81066e58c25.exe	locoto.exe
PID 1852 wrote to memory of 2592	1852	a72f659fd970d503ac88a81066e58c25.exe	locoto.exe
PID 1852 wrote to memory of 2592	1852	a72f659fd970d503ac88a81066e58c25.exe	locoto.exe
PID 2488 wrote to memory of 2492	2488	cmd.exe	netsh.exe
PID 2488 wrote to memory of 2492	2488	cmd.exe	netsh.exe
PID 2488 wrote to memory of 2492	2488	cmd.exe	netsh.exe
PID 2488 wrote to memory of 2492	2488	cmd.exe	netsh.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 2592 wrote to memory of 2656	2592	locoto.exe	locoto.exe
PID 1852 wrote to memory of 1708	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 1708	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 1708	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 1852 wrote to memory of 1708	1852	a72f659fd970d503ac88a81066e58c25.exe	cmd.exe
PID 2656 wrote to memory of 1060	2656	locoto.exe	taskhost.exe
PID 2656 wrote to memory of 1060	2656	locoto.exe	taskhost.exe
PID 2656 wrote to memory of 1060	2656	locoto.exe	taskhost.exe
PID 2656 wrote to memory of 1060	2656	locoto.exe	taskhost.exe
PID 2656 wrote to memory of 1060	2656	locoto.exe	taskhost.exe
PID 2656 wrote to memory of 1116	2656	locoto.exe	Dwm.exe
PID 2656 wrote to memory of 1116	2656	locoto.exe	Dwm.exe
PID 2656 wrote to memory of 1116	2656	locoto.exe	Dwm.exe
PID 2656 wrote to memory of 1116	2656	locoto.exe	Dwm.exe
PID 2656 wrote to memory of 1116	2656	locoto.exe	Dwm.exe
PID 2656 wrote to memory of 1144	2656	locoto.exe	Explorer.EXE
PID 2656 wrote to memory of 1144	2656	locoto.exe	Explorer.EXE
PID 2656 wrote to memory of 1144	2656	locoto.exe	Explorer.EXE
PID 2656 wrote to memory of 1144	2656	locoto.exe	Explorer.EXE
PID 2656 wrote to memory of 1144	2656	locoto.exe	Explorer.EXE
PID 2656 wrote to memory of 1248	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1248	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1248	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1248	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1248	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1720	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1720	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1720	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1720	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1720	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1204	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1204	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1204	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1204	2656	locoto.exe	DllHost.exe
PID 2656 wrote to memory of 1204	2656	locoto.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\a72f659fd970d503ac88a81066e58c25.exe
"C:\Users\Admin\AppData\Local\Temp\a72f659fd970d503ac88a81066e58c25.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\a72f659fd970d503ac88a81066e58c25.exe
"C:\Users\Admin\AppData\Local\Temp\a72f659fd970d503ac88a81066e58c25.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2be716df.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Uma\locoto.exe"
4⤵
- Modifies Windows Firewall
PID:2492

C:\Users\Admin\AppData\Roaming\Uma\locoto.exe
"C:\Users\Admin\AppData\Roaming\Uma\locoto.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Roaming\Uma\locoto.exe
"C:\Users\Admin\AppData\Roaming\Uma\locoto.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e868073.bat"
3⤵
- Deletes itself
PID:1708

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1116

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2be716df.bat
Filesize
199B

MD5
a8e2ce5599b44c565f95302225a9d55d

SHA1
62f388b7b3958fb8351df6500053c044b902d7f0

SHA256
ab1ccb4f31dc706891db087c75453c5f53c1b7f9f3c0f370e4043c766eabfcc1

SHA512
6a30ed7ad53154ff462538c40a30da883a5291c3ed37330ef3064163a6fe791455ed3abf45aa56227f14904fb36a9869f138e1d02516c6c7d7f0585e5fdfa302

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6e868073.bat
Filesize
243B

MD5
0ed0ef1de09f39f543f49b981f2dc270

SHA1
dafa3a3e9edc6123a148158a72352c67e54d4156

SHA256
b2116a1ac007df777bdbc0bb3270acad5690f128cb747cbcd12416835dc83daf

SHA512
54d6a2517dd5d08b5f9412ad03d68c0ee11ee60bc4731fb7be55041ea9aba329c7dae238c599cc09b985a9b85759fb67deaf3a4c35cd7794026f80b416abc3bd

Download Submit
\Users\Admin\AppData\Roaming\Uma\locoto.exe
Filesize
281KB

MD5
5b5091825f7077226db208b5737b7a1b

SHA1
918c64971274da03fce68c6bca0d3591cdfbd020

SHA256
c41d1dae2154b2c1c13ffe942486a2266d4e772c0771f8f19b57d4b3187de11d

SHA512
640fbfd841d241c4eb7df2f3c9e33f64dc8aa5fb2e3fec98fa4630f79437519bd362e12aefdea9f6e9c085d119e6e335cd4aa5daa8786da450c12b66ab221525

Download Submit
memory/1060-63-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1060-61-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1060-62-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1060-64-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1116-69-0x0000000001EE0000-0x0000000001F07000-memory.dmp

Filesize
156KB

Download
memory/1116-66-0x0000000001EE0000-0x0000000001F07000-memory.dmp

Filesize
156KB

Download
memory/1116-68-0x0000000001EE0000-0x0000000001F07000-memory.dmp

Filesize
156KB

Download
memory/1116-67-0x0000000001EE0000-0x0000000001F07000-memory.dmp

Filesize
156KB

Download
memory/1144-74-0x0000000002DA0000-0x0000000002DC7000-memory.dmp

Filesize
156KB

Download
memory/1144-73-0x0000000002DA0000-0x0000000002DC7000-memory.dmp

Filesize
156KB

Download
memory/1144-72-0x0000000002DA0000-0x0000000002DC7000-memory.dmp

Filesize
156KB

Download
memory/1144-71-0x0000000002DA0000-0x0000000002DC7000-memory.dmp

Filesize
156KB

Download
memory/1852-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-44-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/1948-0-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2592-30-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2592-29-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2656-78-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-77-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-81-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-79-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-80-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-100-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads