a0c66743d784ba640b1410e9535072074c4a9a6e835499da1d4a59e900dd4503

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265206b5c880a8624fbf3c4c6e2338c3.exe
Size

132KB
MD5

265206b5c880a8624fbf3c4c6e2338c3
SHA1

1aa7b549ee7bd215cd1efe10da57a7aabee8fc40
SHA256

a0c66743d784ba640b1410e9535072074c4a9a6e835499da1d4a59e900dd4503
SHA512

3a2c925c3a1f452a05a9c84c4c49f13298f4351d752d2062e1bbd4f8609024ec7ae181d38a4f13fe1f4138903042f56dd3babf1e53734062bea88809984c7b0e
SSDEEP

1536:ZvcZCTbbxtbJypX2I3YU9oLmb1DYfQSxV2cPY7ROEYa9YreGQJdFuQ20:B9b7bJyp79GLvfQUV29ROER6GF20

Score

10^/10

evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	265206b5c880a8624fbf3c4c6e2338c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\5rvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1tky.exe"	265206b5c880a8624fbf3c4c6e2338c3.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1tky.exe

Executes dropped EXE 2 IoCs

pid	Process
4080	1tky.exe
4524	1tky.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3620-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000023412-6.dat	upx
behavioral2/memory/4080-7-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3620-13-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4080-17-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4524-18-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4524-19-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iz7vb.log	1tky.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5024	sc.exe
4468	sc.exe
4584	sc.exe
4044	sc.exe
1560	sc.exe
5060	sc.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3620	265206b5c880a8624fbf3c4c6e2338c3.exe
3620	265206b5c880a8624fbf3c4c6e2338c3.exe
3620	265206b5c880a8624fbf3c4c6e2338c3.exe
4080	1tky.exe
4080	1tky.exe
4080	1tky.exe
4524	1tky.exe
4524	1tky.exe
4524	1tky.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4316	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	86
PID 3620 wrote to memory of 4316	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	86
PID 3620 wrote to memory of 4316	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	86
PID 3620 wrote to memory of 1560	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	87
PID 3620 wrote to memory of 1560	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	87
PID 3620 wrote to memory of 1560	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	87
PID 3620 wrote to memory of 1496	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	89
PID 3620 wrote to memory of 1496	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	89
PID 3620 wrote to memory of 1496	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	89
PID 3620 wrote to memory of 5060	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	90
PID 3620 wrote to memory of 5060	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	90
PID 3620 wrote to memory of 5060	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	90
PID 3620 wrote to memory of 4080	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	94
PID 3620 wrote to memory of 4080	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	94
PID 3620 wrote to memory of 4080	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	94
PID 3620 wrote to memory of 4856	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	95
PID 3620 wrote to memory of 4856	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	95
PID 3620 wrote to memory of 4856	3620	265206b5c880a8624fbf3c4c6e2338c3.exe	95
PID 4316 wrote to memory of 1388	4316	net.exe	96
PID 4316 wrote to memory of 1388	4316	net.exe	96
PID 4316 wrote to memory of 1388	4316	net.exe	96
PID 1496 wrote to memory of 3468	1496	net.exe	98
PID 1496 wrote to memory of 3468	1496	net.exe	98
PID 1496 wrote to memory of 3468	1496	net.exe	98
PID 4080 wrote to memory of 5032	4080	1tky.exe	99
PID 4080 wrote to memory of 5032	4080	1tky.exe	99
PID 4080 wrote to memory of 5032	4080	1tky.exe	99
PID 4080 wrote to memory of 4468	4080	1tky.exe	100
PID 4080 wrote to memory of 4468	4080	1tky.exe	100
PID 4080 wrote to memory of 4468	4080	1tky.exe	100
PID 4080 wrote to memory of 1696	4080	1tky.exe	101
PID 4080 wrote to memory of 1696	4080	1tky.exe	101
PID 4080 wrote to memory of 1696	4080	1tky.exe	101
PID 4080 wrote to memory of 5024	4080	1tky.exe	102
PID 4080 wrote to memory of 5024	4080	1tky.exe	102
PID 4080 wrote to memory of 5024	4080	1tky.exe	102
PID 4080 wrote to memory of 4524	4080	1tky.exe	104
PID 4080 wrote to memory of 4524	4080	1tky.exe	104
PID 4080 wrote to memory of 4524	4080	1tky.exe	104
PID 1696 wrote to memory of 1812	1696	net.exe	108
PID 1696 wrote to memory of 1812	1696	net.exe	108
PID 1696 wrote to memory of 1812	1696	net.exe	108
PID 5032 wrote to memory of 916	5032	net.exe	109
PID 5032 wrote to memory of 916	5032	net.exe	109
PID 5032 wrote to memory of 916	5032	net.exe	109
PID 4524 wrote to memory of 3584	4524	1tky.exe	110
PID 4524 wrote to memory of 3584	4524	1tky.exe	110
PID 4524 wrote to memory of 3584	4524	1tky.exe	110
PID 4524 wrote to memory of 4584	4524	1tky.exe	111
PID 4524 wrote to memory of 4584	4524	1tky.exe	111
PID 4524 wrote to memory of 4584	4524	1tky.exe	111
PID 4524 wrote to memory of 2088	4524	1tky.exe	112
PID 4524 wrote to memory of 2088	4524	1tky.exe	112
PID 4524 wrote to memory of 2088	4524	1tky.exe	112
PID 4524 wrote to memory of 4044	4524	1tky.exe	113
PID 4524 wrote to memory of 4044	4524	1tky.exe	113
PID 4524 wrote to memory of 4044	4524	1tky.exe	113
PID 3584 wrote to memory of 2152	3584	net.exe	118
PID 3584 wrote to memory of 2152	3584	net.exe	118
PID 3584 wrote to memory of 2152	3584	net.exe	118
PID 2088 wrote to memory of 4148	2088	net.exe	119
PID 2088 wrote to memory of 4148	2088	net.exe	119
PID 2088 wrote to memory of 4148	2088	net.exe	119

C:\Users\Admin\AppData\Local\Temp\265206b5c880a8624fbf3c4c6e2338c3.exe
"C:\Users\Admin\AppData\Local\Temp\265206b5c880a8624fbf3c4c6e2338c3.exe"
1⤵
- Adds policy Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1388
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3468
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\1tky.exe
  C:\Users\Admin\AppData\Local\Temp\1tky.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:916
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:4468
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:1812
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\1tky.exe
    C:\Users\Admin\AppData\Local\Temp\1tky.exe -d7467719BB67161BE5FAE193EBFFB81728D521D7A466774E05E2EED9B48AF530F55289285FF827F1F1C619C020601372EC8CC5CAEBEC86A4F5D685329F187C96F9516E95FB6A52186DDE062E3956EE809A18B0F45EB7B15E2C978C1B68F64354E84D083A3B597BC2244FB89DC13D699FD09C7634B43090D48E3D3764D69E9BC0BB2ABAD18153805C731076C346BB88FF233E9C6D4818F24182BA0EF9B08E4C319F2A9F48B2F71F0DAC59CA9F3C4664FED8DF6E34C9CBF71B66466E8783674EE0D542024259BD2B44962E31E9788199EDBCB77A9F8CF8148D98D695F24FB4A22C929944BB133F4C475A85BE67460A782D1DCEF455D92EA3F88E8569008A05886DF02E2B60D0F8CD66578935F6F36783EFBF15822159FBB2AB7F6CEF9ACAF067D44B1EBF2048AC8E0A1F4BE2748312B59B27CA7EF56ED9D1F3D78495622F19CAD1D4512CBBE3B9715967C6C194ABB5C97602E1499EBB77772446EA2A5D06E79FA4A10984F07FCB9EB40B14C53C07DA8FD79F70A4B187507B8F51A47224F6FF18A67A48BCB0CE58717EB7504334F6068D05009E87442E0A1C743FE754BDB7E9FC112D047CC7950CE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:2152
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:4584
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\skzsmv2qq.bat
  2⤵
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
132KB

MD5
265206b5c880a8624fbf3c4c6e2338c3

SHA1
1aa7b549ee7bd215cd1efe10da57a7aabee8fc40

SHA256
a0c66743d784ba640b1410e9535072074c4a9a6e835499da1d4a59e900dd4503

SHA512
3a2c925c3a1f452a05a9c84c4c49f13298f4351d752d2062e1bbd4f8609024ec7ae181d38a4f13fe1f4138903042f56dd3babf1e53734062bea88809984c7b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skzsmv2qq.bat

Filesize
190B

MD5
a27b761bd657ae1a50136baff475b0b2

SHA1
278827bb0eb5592885d8f235b2530867cfd55794

SHA256
ab9fa0b444224f00965deedc08cb3bbf64b149fe94fd7465182ac792ae62bc53

SHA512
db6997dcecc17be145535a7625c41352cd5a0b4fc34eec3a1e00083b9ec2375925a3ba0f269c7f0225abb3b54096454f2df356cf30ff76d3a72578c33ea70a40

Download Submit
memory/3620-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3620-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4080-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4080-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4524-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4524-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads