336e0323e0a9004fd9ea30eb348d0b669ed70c7a61c77c51d6485525e03d535d

General

Target

cd9ccb3e7af60cb025e7b219fa417028.exe
Size

379KB
MD5

cd9ccb3e7af60cb025e7b219fa417028
SHA1

17c91cb6345a5d37330ba73305f546166114fe2e
SHA256

336e0323e0a9004fd9ea30eb348d0b669ed70c7a61c77c51d6485525e03d535d
SHA512

b0b85789a9160c2974063169b20c2f7add837aa244449c4c0cfcddddb6d0e579caa35f4a95526b05b34197fd4d4566a8a878bb123a83763a2b9b320489e79ee2
SSDEEP

6144:Sg0Vb/ZPiiFvbPidy5tgsLzpBNWP1ZCOLkErCaehJou58o3jo4eVH:wbhPii5iyxLzNsZxLkHhJpqo3hep

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4204	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4060	update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcn.exe = "C:\\WINDOWS\\pcn.exe"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts.exe = "C:\\WINDOWS\\msagent\\agtintl\\svchosts.exe"	cd9ccb3e7af60cb025e7b219fa417028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcn.exe = "C:\\WINDOWS\\pcn.exe"	cd9ccb3e7af60cb025e7b219fa417028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts.exe = "C:\\WINDOWS\\msagent\\agtintl\\svchosts.exe"	update.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\ice.bat	cd9ccb3e7af60cb025e7b219fa417028.exe
File created	C:\WINDOWS\msagent\agtintl\update.exe	cd9ccb3e7af60cb025e7b219fa417028.exe
File opened for modification	C:\WINDOWS\msagent\agtintl\update.exe	cd9ccb3e7af60cb025e7b219fa417028.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
452	sc.exe
4324	sc.exe
3396	sc.exe
4440	sc.exe
1584	sc.exe
2656	sc.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3096	1680	cd9ccb3e7af60cb025e7b219fa417028.exe	89
PID 1680 wrote to memory of 3096	1680	cd9ccb3e7af60cb025e7b219fa417028.exe	89
PID 1680 wrote to memory of 3096	1680	cd9ccb3e7af60cb025e7b219fa417028.exe	89
PID 3096 wrote to memory of 4204	3096	cmd.exe	91
PID 3096 wrote to memory of 4204	3096	cmd.exe	91
PID 3096 wrote to memory of 4204	3096	cmd.exe	91
PID 3096 wrote to memory of 452	3096	cmd.exe	95
PID 3096 wrote to memory of 452	3096	cmd.exe	95
PID 3096 wrote to memory of 452	3096	cmd.exe	95
PID 3096 wrote to memory of 4324	3096	cmd.exe	96
PID 3096 wrote to memory of 4324	3096	cmd.exe	96
PID 3096 wrote to memory of 4324	3096	cmd.exe	96
PID 3096 wrote to memory of 3396	3096	cmd.exe	97
PID 3096 wrote to memory of 3396	3096	cmd.exe	97
PID 3096 wrote to memory of 3396	3096	cmd.exe	97
PID 3096 wrote to memory of 4440	3096	cmd.exe	98
PID 3096 wrote to memory of 4440	3096	cmd.exe	98
PID 3096 wrote to memory of 4440	3096	cmd.exe	98
PID 3096 wrote to memory of 1584	3096	cmd.exe	99
PID 3096 wrote to memory of 1584	3096	cmd.exe	99
PID 3096 wrote to memory of 1584	3096	cmd.exe	99
PID 3096 wrote to memory of 2656	3096	cmd.exe	100
PID 3096 wrote to memory of 2656	3096	cmd.exe	100
PID 3096 wrote to memory of 2656	3096	cmd.exe	100
PID 1680 wrote to memory of 4060	1680	cd9ccb3e7af60cb025e7b219fa417028.exe	102
PID 1680 wrote to memory of 4060	1680	cd9ccb3e7af60cb025e7b219fa417028.exe	102
PID 1680 wrote to memory of 4060	1680	cd9ccb3e7af60cb025e7b219fa417028.exe	102

C:\Users\Admin\AppData\Local\Temp\cd9ccb3e7af60cb025e7b219fa417028.exe
"C:\Users\Admin\AppData\Local\Temp\cd9ccb3e7af60cb025e7b219fa417028.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\ice.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set notifications Disable
    3⤵
    - Modifies Windows Firewall
    PID:4204
- - C:\Windows\SysWOW64\sc.exe
    sc stop SharedAccess
    3⤵
    - Launches sc.exe
    PID:452
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4324
- - C:\Windows\SysWOW64\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3396
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4440
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    PID:1584
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2656
- C:\WINDOWS\msagent\agtintl\update.exe
  C:\WINDOWS\msagent\agtintl\update.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\ice.bat

Filesize
223B

MD5
1604ad01e735f096a9494f3d1590865e

SHA1
8894a9efeb44f1c1af4bc09c7d13b19718edfc16

SHA256
d40c23e8e65973f2c387e268a0ac7dd3a4358f724cbe3aa51e1fb05c8a837dcf

SHA512
58cfb7cb142d0507990f7e60d2cb83eb0395466feba2985569189ea1b62063cd261647a002fcc89af423a12a6ea498735a0887f19498129d7e257e71e289819c

Download Submit
C:\Windows\msagent\agtintl\update.exe

Filesize
379KB

MD5
cd9ccb3e7af60cb025e7b219fa417028

SHA1
17c91cb6345a5d37330ba73305f546166114fe2e

SHA256
336e0323e0a9004fd9ea30eb348d0b669ed70c7a61c77c51d6485525e03d535d

SHA512
b0b85789a9160c2974063169b20c2f7add837aa244449c4c0cfcddddb6d0e579caa35f4a95526b05b34197fd4d4566a8a878bb123a83763a2b9b320489e79ee2

Download Submit
memory/1680-0-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1680-9-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4060-8-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4060-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4060-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads