15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126

General

Target

15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Size

410KB
MD5

b76b8463d2167fa7f1feb1d562fe18ac
SHA1

9870f08014840f890ef57200a87775d5d199cb5f
SHA256

15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126
SHA512

c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361
SSDEEP

12288:IpUaCbA1fQy08IAKsVU5kTc9E4rQQm+7fLiEivqUa:I1CbAP0zAr1TEE4r0+6pCUa

Score

10^/10

evasion execution themida trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4636	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1unKgCDgpbB5CD5NEeZAfCle.bat	regsvcs.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac44-84.dat	themida
behavioral2/memory/3256-85-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	api.myip.com
34	api.myip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	3444	regsvcs.exe
Token: SeIncreaseQuotaPrivilege	4636	powershell.exe
Token: SeSecurityPrivilege	4636	powershell.exe
Token: SeTakeOwnershipPrivilege	4636	powershell.exe
Token: SeLoadDriverPrivilege	4636	powershell.exe
Token: SeSystemProfilePrivilege	4636	powershell.exe
Token: SeSystemtimePrivilege	4636	powershell.exe
Token: SeProfSingleProcessPrivilege	4636	powershell.exe
Token: SeIncBasePriorityPrivilege	4636	powershell.exe
Token: SeCreatePagefilePrivilege	4636	powershell.exe
Token: SeBackupPrivilege	4636	powershell.exe
Token: SeRestorePrivilege	4636	powershell.exe
Token: SeShutdownPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeSystemEnvironmentPrivilege	4636	powershell.exe
Token: SeRemoteShutdownPrivilege	4636	powershell.exe
Token: SeUndockPrivilege	4636	powershell.exe
Token: SeManageVolumePrivilege	4636	powershell.exe
Token: 33	4636	powershell.exe
Token: 34	4636	powershell.exe
Token: 35	4636	powershell.exe
Token: 36	4636	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4636	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	74
PID 3368 wrote to memory of 4636	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	74
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76
PID 3368 wrote to memory of 3444	3368	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe	76

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe

C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe
"C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- - C:\Users\Admin\Pictures\sqjlLpSWlyFPP4J3l2wD5a4P.exe
    "C:\Users\Admin\Pictures\sqjlLpSWlyFPP4J3l2wD5a4P.exe"
    3⤵
    PID:3100
- - C:\Users\Admin\Pictures\HhqUX6zNu1v6JiZ0XtMV95qi.exe
    "C:\Users\Admin\Pictures\HhqUX6zNu1v6JiZ0XtMV95qi.exe"
    3⤵
    PID:2936
- - C:\Users\Admin\Pictures\yY1R19gsu7VVfNj61ohGJWiW.exe
    "C:\Users\Admin\Pictures\yY1R19gsu7VVfNj61ohGJWiW.exe"
    3⤵
    PID:3256
- - C:\Users\Admin\Pictures\6LjWzKZuAYmrSVYyZkJbg2oK.exe
    "C:\Users\Admin\Pictures\6LjWzKZuAYmrSVYyZkJbg2oK.exe"
    3⤵
    PID:2352
- - C:\Users\Admin\Pictures\TqesiQijz4MIu81d21uflKD4.exe
    "C:\Users\Admin\Pictures\TqesiQijz4MIu81d21uflKD4.exe"
    3⤵
    PID:2072
- - C:\Users\Admin\Pictures\RqQk0IA6QLwU6CJbBAhbWHor.exe
    "C:\Users\Admin\Pictures\RqQk0IA6QLwU6CJbBAhbWHor.exe"
    3⤵
    PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1sklzwdg.qnc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Pictures\HhqUX6zNu1v6JiZ0XtMV95qi.exe

Filesize
416KB

MD5
802c6bc6230b334e1f09cc9abc29e693

SHA1
f92c01964a9010a5bdbb613abaa6b5114651d1ab

SHA256
501c2f7253cc227dfc4737f31fe6a685f12dc21fadc076e23e44eaf8bdc31391

SHA512
da8f0a153a0e2c305d6218272cb4e489bb7cc7defcac2e52fe9ca87b210abc9bfc51564535116695a3003303a441d3e55d91c3247a0fb7d3ee41f8c441135e10

Download Submit
C:\Users\Admin\Pictures\TqesiQijz4MIu81d21uflKD4.exe

Filesize
4.2MB

MD5
85e00972e4d4b2ad827d5e72daa72c86

SHA1
b285d5343385c9e9a7c706b1a48c651cd3a5a5cc

SHA256
bfde9d0144b50dfc923ed9d605f029adc8a2b8460644a63c7bde3ea43e27cc8e

SHA512
d9c93929534de4ac4357814b8e3b2a0dc880e12290c6a365746c0eb19fcf6113591322de53856c0d79c1d0bc2ae3294a149a239259426dca5e46e8d5113eea7b

Download Submit
C:\Users\Admin\Pictures\VyTLc8pprwrD9qaqavXW7Z4o.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\sqjlLpSWlyFPP4J3l2wD5a4P.exe

Filesize
4.2MB

MD5
efae9751274c1f945b8ec66a3abd2b18

SHA1
b594572da253d2bf0bce3116e20207f83fe9146a

SHA256
982360750abf4da2df89ef95841082796ad08198b3170006339ef2f4241c2ea0

SHA512
55840871865c3748402a2b9474926d08cc85af91287c512e08d7de148adef745b7e0e80bc24566c6aa633ea9646a95397c70bc85c053f0e699f8b54b34a7fa4b

Download Submit
C:\Users\Admin\Pictures\yY1R19gsu7VVfNj61ohGJWiW.exe

Filesize
5.5MB

MD5
5a602d800c716ecf19aece10002da470

SHA1
3f64e4b4bc5ec25730c3ed2005885438eb8666f3

SHA256
18102f6d9c390e66827e5fae3036efd613558093291e80dfe329238f8cfa4f8d

SHA512
1c453560f70fb2b6daca26350d88a432bac91cdbee92d3c97fe9b14342eca8d82a2c00cf55897ebe3bb28f7a884dba2aef0154139866b0f4a157f78a5c2d4ebb

Download Submit
memory/3256-85-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/3368-3-0x000001ADCB500000-0x000001ADCB55E000-memory.dmp

Filesize
376KB

Download
memory/3368-1-0x00007FF954663000-0x00007FF954664000-memory.dmp

Filesize
4KB

Download
memory/3368-4-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/3368-2-0x000001ADC9B70000-0x000001ADC9B80000-memory.dmp

Filesize
64KB

Download
memory/3368-0-0x000001ADC97C0000-0x000001ADC97D0000-memory.dmp

Filesize
64KB

Download
memory/3444-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3444-25-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/4636-13-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-55-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-16-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-15-0x000002DEC2B50000-0x000002DEC2BC6000-memory.dmp

Filesize
472KB

Download
memory/4636-11-0x00007FF954660000-0x00007FF95504C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-10-0x000002DEC29A0000-0x000002DEC29C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads