075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44

General

Target

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
Size

9.2MB
MD5

d55b0be7279cf572706d2080a215f44e
SHA1

3e32f7ecb9531d3b91be679d7b3c2adeabd3afb0
SHA256

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44
SHA512

e15e656a9c5288696cc8f8a58353879cfc5d1b10c683fbdb2b2101830e1b16661ada23b03428db84b2b47d35acc379f5838272088d69aa999505d1fbb4eb6b22
SSDEEP

98304:E+k7QDw+PcYq5LnYvacmm1xAWewWAWUlWJwSb099Pi8bh9x/NvBaudEGst+g2lfE:VktBlNChWX8bp/Bq6YAOjLcTH8kc

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2976 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

rr.exeplaytomenu.exe

pid process

2816 rr.exe
2236 playtomenu.exe

pid	process
2976	cmd.exe

pid	process
2816	rr.exe
2236	playtomenu.exe

Loads dropped DLL 2 IoCs

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

pid	process
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

pid	process
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exeplaytomenu.exe

pid process

1520 075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
2236 playtomenu.exe
2236 playtomenu.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

description	pid	process	target process
PID 1520 wrote to memory of 2816	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	rr.exe
PID 1520 wrote to memory of 2816	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	rr.exe
PID 1520 wrote to memory of 2816	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	rr.exe
PID 1520 wrote to memory of 2816	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	rr.exe
PID 1520 wrote to memory of 2236	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	playtomenu.exe
PID 1520 wrote to memory of 2236	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	playtomenu.exe
PID 1520 wrote to memory of 2236	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	playtomenu.exe
PID 1520 wrote to memory of 2236	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	playtomenu.exe
PID 1520 wrote to memory of 2976	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	cmd.exe
PID 1520 wrote to memory of 2976	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	cmd.exe
PID 1520 wrote to memory of 2976	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	cmd.exe
PID 1520 wrote to memory of 2976	1520	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

C:\Users\Admin\AppData\Local\Temp\075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
"C:\Users\Admin\AppData\Local\Temp\075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520

C:\ProgramData\rr.exe
C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"
2⤵
- Executes dropped EXE
PID:2816

C:\ProgramData\playtomenu.exe
C:\ProgramData\playtomenu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c delself.cmd
2⤵
- Deletes itself
PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\playtomenu.exe
Filesize
4.1MB

MD5
684fdaae316e5f59baa6f69f5bc2526a

SHA1
958061cff425622da5bf931f7ffdd22a1f784763

SHA256
17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8

SHA512
7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1

Download Submit
C:\ProgramData\playtomenu.jpg
Filesize
1.7MB

MD5
c2348c7e8ac7e2812f7967c126918b90

SHA1
626bb46101ccf131d6981f338cd4b4edcf76ca31

SHA256
40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f

SHA512
74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.cmd
Filesize
124B

MD5
3f63e6c3289af1d2aeda8834892aef65

SHA1
232387cf64358f0ce36b8baf4498674c70dd0067

SHA256
ceb47c961c03072b61e2ee0640787bd89483ccfa9691161cc3c200be9f134291

SHA512
090c4bd50a68d9bb8f43d5aeb4228b9cf0d2b7467818a16597a8ea0bbdbb0ac0084901ff46f11adecace84a7a2d0899a210b32e1be4f442acb8f314d3e582c65

Download Submit
\ProgramData\rr.exe
Filesize
572KB

MD5
f2ae502d448cfb81a5f40a9368d99b1a

SHA1
f849be86e9e7ced0acd51a68f92992b8090d08a5

SHA256
07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

SHA512
9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads