1ebdbfea6ab13f258a7d00dea47de48261cfb84d52ebbb6f282498c3ab1b1b39

General

Target

Armageddon.exe
Size

322KB
MD5

50c6225ff8e1e741238fc0bbdf7d8172
SHA1

c2cc9ad6549d7e81f9052ba45680219bab75960a
SHA256

1ebdbfea6ab13f258a7d00dea47de48261cfb84d52ebbb6f282498c3ab1b1b39
SHA512

062727f899ac911782fde6ba37f693ffc9f6b4255aa56312d0bc9594e978010d314a16b7014fe380a5f3b8931b0aac4a5d407b3916c36de4deae82d8ac7c31d2
SSDEEP

3072:F66/pFINPVP06dvuqrWrb60Db+7uQxQrq61gFsRd8cQUewkoLeC8BS0HVKT+8X2C:Gbxu6Q31gFsR0FoTY8T+8Gx

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Armageddon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Armageddon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Armageddon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Armageddon.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

Armageddon.exe

description ioc process

File created C:\Windows\system32\wintrust.dll Armageddon.exe

description	ioc	process
File created	C:\Windows\system32\wintrust.dll	Armageddon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Armageddon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Test = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Library\\Armageddon.exe"	Armageddon.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Armageddon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Armageddon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Armageddon.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

Armageddon.exe

description ioc process

File created C:\Users\Admin\Desktop\desktop.ini Armageddon.exe
File created C:\Users\Admin\Documents\desktop.ini Armageddon.exe

description	ioc	process
File created	C:\Users\Admin\Desktop\desktop.ini	Armageddon.exe
File created	C:\Users\Admin\Documents\desktop.ini	Armageddon.exe

Drops file in System32 directory 64 IoCs

Processes:

Armageddon.exe

description	ioc	process
File created	C:\Windows\system32\umpnpmgr.dll	Armageddon.exe
File created	C:\Windows\system32\winsku.dll	Armageddon.exe
File created	C:\Windows\system32\WLanConn.dll	Armageddon.exe
File created	C:\Windows\system32\fdWSD.dll	Armageddon.exe
File created	C:\Windows\system32\KBDSYR1.DLL	Armageddon.exe
File created	C:\Windows\system32\scavengeui.dll	Armageddon.exe
File created	C:\Windows\system32\wwanprotdim.dll	Armageddon.exe
File created	C:\Windows\system32\auditcse.dll	Armageddon.exe
File created	C:\Windows\system32\mfvdsp.dll	Armageddon.exe
File created	C:\Windows\system32\vaultcli.dll	Armageddon.exe
File created	C:\Windows\system32\Windows.StateRepositoryUpgrade.dll	Armageddon.exe
File created	C:\Windows\system32\BluetoothSystemToastIcon.png	Armageddon.exe
File created	C:\Windows\system32\efscore.dll	Armageddon.exe
File created	C:\Windows\system32\KBDINBEN.DLL	Armageddon.exe
File created	C:\Windows\system32\ncuprov.dll	Armageddon.exe
File created	C:\Windows\system32\VmApplicationHealthMonitorProxy.dll	Armageddon.exe
File created	C:\Windows\system32\plasrv.exe	Armageddon.exe
File created	C:\Windows\system32\DeviceProperties.exe	Armageddon.exe
File created	C:\Windows\system32\rdpencom.dll	Armageddon.exe
File created	C:\Windows\system32\SecurityAndMaintenance_Error.png	Armageddon.exe
File created	C:\Windows\system32\IPHLPAPI.DLL	Armageddon.exe
File created	C:\Windows\system32\KBDYCL.DLL	Armageddon.exe
File created	C:\Windows\system32\powrprof.dll	Armageddon.exe
File created	C:\Windows\system32\quartz.dll	Armageddon.exe
File created	C:\Windows\system32\TimeSyncTask.dll	Armageddon.exe
File created	C:\Windows\system32\Windows.Networking.Proximity.dll	Armageddon.exe
File created	C:\Windows\system32\Apphlpdm.dll	Armageddon.exe
File created	C:\Windows\system32\mimefilt.dll	Armageddon.exe
File created	C:\Windows\system32\PktMonApi.dll	Armageddon.exe
File created	C:\Windows\system32\KBDTAJIK.DLL	Armageddon.exe
File created	C:\Windows\system32\htui.dll	Armageddon.exe
File created	C:\Windows\system32\Windows.Internal.Taskbar.dll	Armageddon.exe
File created	C:\Windows\system32\eventcls.dll	Armageddon.exe
File created	C:\Windows\system32\DscCore.dll	Armageddon.exe
File created	C:\Windows\system32\RTMediaFrame.dll	Armageddon.exe
File created	C:\Windows\system32\wlanutil.dll	Armageddon.exe
File created	C:\Windows\system32\AppXDeploymentServer.dll	Armageddon.exe
File created	C:\Windows\system32\LsaIso.exe	Armageddon.exe
File created	C:\Windows\system32\KernelBase.dll	Armageddon.exe
File created	C:\Windows\system32\rdpcore.dll	Armageddon.exe
File created	C:\Windows\system32\uxtheme.dll	Armageddon.exe
File created	C:\Windows\system32\LanguageComponentsInstallerComHandler.exe	Armageddon.exe
File created	C:\Windows\system32\cryptui.dll	Armageddon.exe
File created	C:\Windows\system32\iaspolcy.dll	Armageddon.exe
File created	C:\Windows\system32\KBDDIV1.DLL	Armageddon.exe
File created	C:\Windows\system32\kd_0C_8086.dll	Armageddon.exe
File created	C:\Windows\system32\sdohlp.dll	Armageddon.exe
File created	C:\Windows\system32\cimfs.dll	Armageddon.exe
File created	C:\Windows\system32\winbrand.dll	Armageddon.exe
File created	C:\Windows\system32\netbios.dll	Armageddon.exe
File created	C:\Windows\system32\AuthBrokerUI.dll	Armageddon.exe
File created	C:\Windows\system32\ieproxy.dll	Armageddon.exe
File created	C:\Windows\system32\PeopleBand.dll	Armageddon.exe
File created	C:\Windows\system32\Windows.Graphics.dll	Armageddon.exe
File created	C:\Windows\system32\TpmInit.exe	Armageddon.exe
File created	C:\Windows\system32\secproc_ssp_isv.dll	Armageddon.exe
File opened for modification	C:\Windows\system32\perfi007.dat	Armageddon.exe
File created	C:\Windows\system32\fhcat.dll	Armageddon.exe
File created	C:\Windows\system32\MirrorDrvCompat.dll	Armageddon.exe
File created	C:\Windows\system32\SessEnv.dll	Armageddon.exe
File created	C:\Windows\system32\winipcsecproc.dll	Armageddon.exe
File created	C:\Windows\system32\wlidres.dll	Armageddon.exe
File created	C:\Windows\system32\ApplicationFrameHost.exe	Armageddon.exe
File created	C:\Windows\system32\dscproxy.dll	Armageddon.exe

Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol
T1021.001

Processes:

Armageddon.exe

description ioc process

File created C:\Windows\system32\termsrv.dll Armageddon.exe

description	ioc	process
File created	C:\Windows\system32\termsrv.dll	Armageddon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Armageddon.exe

pid	process
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe
2576	Armageddon.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Armageddon.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2576	Armageddon.exe
Token: SeShutdownPrivilege	2692	explorer.exe
Token: SeCreatePagefilePrivilege	2692	explorer.exe
Token: SeShutdownPrivilege	2692	explorer.exe
Token: SeCreatePagefilePrivilege	2692	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Armageddon.exe

pid process

2576 Armageddon.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Armageddon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Armageddon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Armageddon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Armageddon.exe

C:\Users\Admin\AppData\Local\Temp\Armageddon.exe
"C:\Users\Admin\AppData\Local\Temp\Armageddon.exe"
1⤵
- UAC bypass
- Manipulates Digital Signatures
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies termsrv.dll
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2576

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Remote Services

1

T1021

Remote Desktop Protocol

1

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2576-0-0x00007FFCC5270000-0x00007FFCC530E000-memory.dmp

Filesize
632KB

Download
memory/2576-1-0x0000000000930000-0x0000000000986000-memory.dmp

Filesize
344KB

Download
memory/2576-2-0x00007FFCC5270000-0x00007FFCC530E000-memory.dmp

Filesize
632KB

Download
memory/2576-3-0x00007FFCC5270000-0x00007FFCC530E000-memory.dmp

Filesize
632KB

Download
memory/2576-82-0x00007FFCC5270000-0x00007FFCC530E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads