f7285d4101b8f8d63c39bcf62c5b2b34e04070dfd87742b8a0a7dd4f4355fe5d

General

Target

c3fbec35aaacf4be04abee7c6e1bbfb7.exe
Size

139KB
MD5

c3fbec35aaacf4be04abee7c6e1bbfb7
SHA1

813f9bf98c1564a49ed33449667e4b0e6c7b30b3
SHA256

f7285d4101b8f8d63c39bcf62c5b2b34e04070dfd87742b8a0a7dd4f4355fe5d
SHA512

dd736a008d6ad100de467f0d8c493e419418dbbebfa26418cd5673a40a7bb37d7ea96ae097363ddb9d35e5276c30e8fde1a6772af498de839f3390c3858c32b3
SSDEEP

3072:TVE9+iA1EqQRKjcjVguzKHeambBEMdCeTVj3xZwMVepyq7:BitAVbkVgGIeambtCU9Vrq7

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2580 netsh.exe

pid	process
2580	netsh.exe

Drops startup file 4 IoCs

Processes:

uyksuq.exec3fbec35aaacf4be04abee7c6e1bbfb7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbki.exe	uyksuq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbki.exe	uyksuq.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbki.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbki.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe

Executes dropped EXE 2 IoCs

Processes:

uyksuq.exeuyksuq.exe

pid process

2968 uyksuq.exe
2896 uyksuq.exe
Loads dropped DLL 1 IoCs

Processes:

c3fbec35aaacf4be04abee7c6e1bbfb7.exe

pid process

1124 c3fbec35aaacf4be04abee7c6e1bbfb7.exe

pid	process
2968	uyksuq.exe
2896	uyksuq.exe

pid	process
1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uyksuq.exec3fbec35aaacf4be04abee7c6e1bbfb7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vkycmhls = "C:\\Users\\Admin\\AppData\\Local\\uyksuq.exe"	uyksuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\vkycmhls = "C:\\Users\\Admin\\AppData\\Local\\uyksuq.exe"	uyksuq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vkycmhls = "C:\\Users\\Admin\\AppData\\Local\\uyksuq.exe"	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\vkycmhls = "C:\\Users\\Admin\\AppData\\Local\\uyksuq.exe"	c3fbec35aaacf4be04abee7c6e1bbfb7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c3fbec35aaacf4be04abee7c6e1bbfb7.exeuyksuq.exe

description	pid	process	target process
PID 844 set thread context of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 2968 set thread context of 2896	2968	uyksuq.exe	uyksuq.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c3fbec35aaacf4be04abee7c6e1bbfb7.exec3fbec35aaacf4be04abee7c6e1bbfb7.exeuyksuq.exe

description	pid	process	target process
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 844 wrote to memory of 1124	844	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	c3fbec35aaacf4be04abee7c6e1bbfb7.exe
PID 1124 wrote to memory of 2580	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	netsh.exe
PID 1124 wrote to memory of 2580	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	netsh.exe
PID 1124 wrote to memory of 2580	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	netsh.exe
PID 1124 wrote to memory of 2580	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	netsh.exe
PID 1124 wrote to memory of 2968	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	uyksuq.exe
PID 1124 wrote to memory of 2968	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	uyksuq.exe
PID 1124 wrote to memory of 2968	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	uyksuq.exe
PID 1124 wrote to memory of 2968	1124	c3fbec35aaacf4be04abee7c6e1bbfb7.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe
PID 2968 wrote to memory of 2896	2968	uyksuq.exe	uyksuq.exe

C:\Users\Admin\AppData\Local\Temp\c3fbec35aaacf4be04abee7c6e1bbfb7.exe
"C:\Users\Admin\AppData\Local\Temp\c3fbec35aaacf4be04abee7c6e1bbfb7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\c3fbec35aaacf4be04abee7c6e1bbfb7.exe
C:\Users\Admin\AppData\Local\Temp\c3fbec35aaacf4be04abee7c6e1bbfb7.exe
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
3⤵
- Modifies Windows Firewall
PID:2580

C:\Users\Admin\AppData\Local\uyksuq.exe
"C:\Users\Admin\AppData\Local\uyksuq.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\uyksuq.exe
C:\Users\Admin\AppData\Local\uyksuq.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\uyksuq.exe
Filesize
139KB

MD5
c3fbec35aaacf4be04abee7c6e1bbfb7

SHA1
813f9bf98c1564a49ed33449667e4b0e6c7b30b3

SHA256
f7285d4101b8f8d63c39bcf62c5b2b34e04070dfd87742b8a0a7dd4f4355fe5d

SHA512
dd736a008d6ad100de467f0d8c493e419418dbbebfa26418cd5673a40a7bb37d7ea96ae097363ddb9d35e5276c30e8fde1a6772af498de839f3390c3858c32b3

Download Submit
memory/844-77-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/844-9-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/844-12-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/844-14-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/844-16-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/844-8-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/844-29-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1124-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-31-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-18-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-40-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1124-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-82-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-84-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-90-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-75-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-88-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-79-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-87-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-81-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-86-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-83-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2896-85-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2968-56-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2968-51-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2968-80-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2968-54-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2968-72-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2968-58-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads