Analysis
-
max time kernel
14s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 04:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63bf82b7bd6f481c0ca2ba4618f2e800N.exe
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
63bf82b7bd6f481c0ca2ba4618f2e800N.exe
-
Size
216KB
-
MD5
63bf82b7bd6f481c0ca2ba4618f2e800
-
SHA1
8c4b139e9bbba1aa4da71e96aa434643e9e9f7df
-
SHA256
2073c59a323a901cf607b310b15125ef457e8c8c7fda2dce33c93f7bdd92aff3
-
SHA512
8acff7ef8a861f28469100357aee9e6677c5544f1d200c64d3f8cbea6cb174b6ce57d810cb6ea01cd6b0326d251f7f843b2d41606bb6f235bf3d404bb5a71b65
-
SSDEEP
3072:mv+htWMtf+7GZYGVA2QJgi8xJLDoUPJEeUFMskH3dJV4CJruNs0:4EGqZYGVd82PDNEzFMXH3df1Jr30
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Nopqrs.exe -
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nopqrs.exe -
Processes:
Nopqrs.exe63bf82b7bd6f481c0ca2ba4618f2e800N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Nopqrs.exe -
Fatal Rat payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/904-2-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral1/memory/1460-137-0x0000000000400000-0x0000000000436000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
Processes:
Nopqrs.exepid Process 1460 Nopqrs.exe -
Processes:
resource yara_rule behavioral1/memory/904-16-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-15-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-14-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-13-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-12-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-11-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-10-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-9-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-7-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-29-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-30-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-31-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-33-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-32-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-35-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-36-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-37-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-38-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-58-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-68-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-57-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-56-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-55-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-54-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-53-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-52-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-51-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-70-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-69-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-50-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-48-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/904-72-0x00000000005B0000-0x000000000163E000-memory.dmp upx behavioral1/memory/1460-73-0x00000000005B0000-0x000000000163E000-memory.dmp upx -
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Nopqrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Nopqrs.exe -
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nopqrs.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription ioc Process File opened (read-only) \??\E: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\G: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\I: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\L: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\G: Nopqrs.exe File opened (read-only) \??\N: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\H: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\J: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\K: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\E: Nopqrs.exe File opened (read-only) \??\M: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Drops file in Windows directory 3 IoCs
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exedescription ioc Process File created C:\Windows\Nopqrs.exe 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened for modification C:\Windows\Nopqrs.exe 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened for modification C:\Windows\SYSTEM.INI 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
Nopqrs.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_102 = "2570434329" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_159 = "1606705650" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_222 = "541548861" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_241 = "1668578570" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_28 = "941535037" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_51 = "2934229835" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_143 = "1012505131" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_206 = "3675374848" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_64 = "349586324" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_261 = "2345820354" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_292 = "789701292" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_46 = "653925023" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_65 = "3575661639" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_111 = "2418260733" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_162 = "1555990150" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_211 = "2159189865" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_231 = "4045592892" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_31 = "3700188232" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_175 = "1618717280" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_179 = "4131873646" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_293 = "2204449791" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_1 = "1431319418" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_127 = "3529128050" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_44 = "2135961709" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_120 = "2249372865" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_124 = "3646696989" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_19 = "1110417705" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_76 = "14090711" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_89 = "1358564827" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_223 = "1956304758" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_102 = "2570426130" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_128 = "699183715" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_151 = "3173617616" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_193 = "2463520659" Nopqrs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425 Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_50 = "2017948214" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_82 = "45259926" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_85 = "4289505423" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_228 = "440111597" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_233 = "3202295458" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_155 = "242682700" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_235 = "1753415473" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_290 = "2271762991" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_45 = "3534136432" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_102 = "4234980265" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_105 = "3551815699" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_132 = "2582794401" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_113 = "969475978" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_121 = "3680841442" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_138 = "1961764542" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_189 = "1082890350" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_0 = "17001001" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_36 = "3669747077" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_45 = "3534140311" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_51 = "3432696713" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_221 = "1931112186" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_238 = "1061372510" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_258 = "4073731188" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_261 = "4177136693" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_294 = "3619195780" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_47 = "3606199589" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_106 = "3951138423" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_142 = "3342394915" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_173 = "4249892670" Nopqrs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exepid Process 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 1460 Nopqrs.exe 1460 Nopqrs.exe 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription pid Process Token: SeDebugPrivilege 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 1460 Nopqrs.exe Token: SeDebugPrivilege 1460 Nopqrs.exe Token: SeDebugPrivilege 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription pid Process procid_target PID 904 wrote to memory of 1048 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 18 PID 904 wrote to memory of 1112 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 19 PID 904 wrote to memory of 1136 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 20 PID 904 wrote to memory of 1004 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 25 PID 1460 wrote to memory of 1048 1460 Nopqrs.exe 18 PID 1460 wrote to memory of 1112 1460 Nopqrs.exe 19 PID 1460 wrote to memory of 1136 1460 Nopqrs.exe 20 PID 1460 wrote to memory of 1004 1460 Nopqrs.exe 25 PID 1460 wrote to memory of 904 1460 Nopqrs.exe 29 PID 904 wrote to memory of 1048 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 18 PID 904 wrote to memory of 1112 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 19 PID 904 wrote to memory of 1136 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 20 PID 904 wrote to memory of 1004 904 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 25 -
System policy modification 1 TTPs 2 IoCs
Processes:
63bf82b7bd6f481c0ca2ba4618f2e800N.exeNopqrs.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nopqrs.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1048
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\63bf82b7bd6f481c0ca2ba4618f2e800N.exe"C:\Users\Admin\AppData\Local\Temp\63bf82b7bd6f481c0ca2ba4618f2e800N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:904
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1004
-
C:\Windows\Nopqrs.exeC:\Windows\Nopqrs.exe1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1460
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD563bf82b7bd6f481c0ca2ba4618f2e800
SHA18c4b139e9bbba1aa4da71e96aa434643e9e9f7df
SHA2562073c59a323a901cf607b310b15125ef457e8c8c7fda2dce33c93f7bdd92aff3
SHA5128acff7ef8a861f28469100357aee9e6677c5544f1d200c64d3f8cbea6cb174b6ce57d810cb6ea01cd6b0326d251f7f843b2d41606bb6f235bf3d404bb5a71b65
-
Filesize
255B
MD5bd91fbd56ae022642eee1d68f55cc25e
SHA12cd6aebb9bc68b4e118063a4eabf18908f6dcccf
SHA25644970171475cf18dac2c5fc978fb2cdba8731dbd2e1517d098db1f82122a2162
SHA512dd5702545095d1cddc7a2645340a0b875b2e2cdae7bd4fa6eb15acdd86c9ce42bc6ad5c8673a880271d040f535a05d615e69385026f823a7dd8ead2a87740ece