78dbb664e2867fcd227510cf53111638990a15fe792ea04641f10aa9fcff1258

General

Target

ce2dba593ed3afedfa00a8de8887ec8b.exe
Size

140KB
MD5

ce2dba593ed3afedfa00a8de8887ec8b
SHA1

6b3013cd9d10b9f20b418854f1363294e23ba7a4
SHA256

78dbb664e2867fcd227510cf53111638990a15fe792ea04641f10aa9fcff1258
SHA512

a24684aecbe0bb05c5f6a0dcca744133cb35277236563d710bbea12860ba0d7a858cb74e31ffae829a9786224f8d8ac4d4d99f2ebb1a0612680c7243f7c69fe9
SSDEEP

3072:ZBWePozVRNzRMMTTpN28eNuvOkkFPl88bu28f:ZBNQ1PTH2FNDJ2Eu2s

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2132 netsh.exe

pid	process
2132	netsh.exe

Drops startup file 2 IoCs

Processes:

ce2dba593ed3afedfa00a8de8887ec8b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wlqbs.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wlqbs.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe

Executes dropped EXE 1 IoCs

Processes:

xxbjfk.exe

pid process

2580 xxbjfk.exe
Loads dropped DLL 2 IoCs

Processes:

ce2dba593ed3afedfa00a8de8887ec8b.exexxbjfk.exe

pid process

2996 ce2dba593ed3afedfa00a8de8887ec8b.exe
2580 xxbjfk.exe

pid	process
2580	xxbjfk.exe

pid	process
2996	ce2dba593ed3afedfa00a8de8887ec8b.exe
2580	xxbjfk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ce2dba593ed3afedfa00a8de8887ec8b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yjprwbue = "C:\\Users\\Admin\\AppData\\Local\\xxbjfk.exe"	ce2dba593ed3afedfa00a8de8887ec8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\yjprwbue = "C:\\Users\\Admin\\AppData\\Local\\xxbjfk.exe"	ce2dba593ed3afedfa00a8de8887ec8b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ce2dba593ed3afedfa00a8de8887ec8b.exe

description pid process target process

PID 2912 set thread context of 2996 2912 ce2dba593ed3afedfa00a8de8887ec8b.exe ce2dba593ed3afedfa00a8de8887ec8b.exe

description	pid	process	target process
PID 2912 set thread context of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ce2dba593ed3afedfa00a8de8887ec8b.exece2dba593ed3afedfa00a8de8887ec8b.exexxbjfk.exe

description	pid	process	target process
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2912 wrote to memory of 2996	2912	ce2dba593ed3afedfa00a8de8887ec8b.exe	ce2dba593ed3afedfa00a8de8887ec8b.exe
PID 2996 wrote to memory of 2132	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	netsh.exe
PID 2996 wrote to memory of 2132	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	netsh.exe
PID 2996 wrote to memory of 2132	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	netsh.exe
PID 2996 wrote to memory of 2132	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	netsh.exe
PID 2996 wrote to memory of 2580	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	xxbjfk.exe
PID 2996 wrote to memory of 2580	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	xxbjfk.exe
PID 2996 wrote to memory of 2580	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	xxbjfk.exe
PID 2996 wrote to memory of 2580	2996	ce2dba593ed3afedfa00a8de8887ec8b.exe	xxbjfk.exe
PID 2580 wrote to memory of 2568	2580	xxbjfk.exe	xxbjfk.exe
PID 2580 wrote to memory of 2568	2580	xxbjfk.exe	xxbjfk.exe
PID 2580 wrote to memory of 2568	2580	xxbjfk.exe	xxbjfk.exe
PID 2580 wrote to memory of 2568	2580	xxbjfk.exe	xxbjfk.exe
PID 2580 wrote to memory of 2568	2580	xxbjfk.exe	xxbjfk.exe

C:\Users\Admin\AppData\Local\Temp\ce2dba593ed3afedfa00a8de8887ec8b.exe
"C:\Users\Admin\AppData\Local\Temp\ce2dba593ed3afedfa00a8de8887ec8b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\ce2dba593ed3afedfa00a8de8887ec8b.exe
C:\Users\Admin\AppData\Local\Temp\ce2dba593ed3afedfa00a8de8887ec8b.exe
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
3⤵
- Modifies Windows Firewall
PID:2132

C:\Users\Admin\AppData\Local\xxbjfk.exe
"C:\Users\Admin\AppData\Local\xxbjfk.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\xxbjfk.exe
C:\Users\Admin\AppData\Local\xxbjfk.exe
4⤵
PID:2568

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\xxbjfk.exe
Filesize
140KB

MD5
ce2dba593ed3afedfa00a8de8887ec8b

SHA1
6b3013cd9d10b9f20b418854f1363294e23ba7a4

SHA256
78dbb664e2867fcd227510cf53111638990a15fe792ea04641f10aa9fcff1258

SHA512
a24684aecbe0bb05c5f6a0dcca744133cb35277236563d710bbea12860ba0d7a858cb74e31ffae829a9786224f8d8ac4d4d99f2ebb1a0612680c7243f7c69fe9

Download Submit
memory/2580-63-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2580-58-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2580-56-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2580-54-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2580-51-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2580-49-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2912-9-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2912-8-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2912-16-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2912-14-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2912-12-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2996-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-18-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-59-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads