Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
Resource
win10v2004-20240802-en
General
-
Target
ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
-
Size
5.0MB
-
MD5
ddc993fe772d6df1656c22b6c0ea2df7
-
SHA1
489599ffda5275896dfd4347ee68087bb54c13a1
-
SHA256
ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3
-
SHA512
5bfbd095eeb8616b05628863acb4f7e58ccf7f24f75e749e4f03206c1c1eb8df794da6f5dbf658f64e5860f15849bae9a5c43386d11595687e8da002f9dc8804
-
SSDEEP
98304:xc00zuLKe+anb7LVsmSas1+YRg74gxoD88kFCHyDcb3:xc00zuLKC7SasBS74D8pCHyg7
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe -
Executes dropped EXE 1 IoCs
pid Process 3488 uc_ctrl.exe -
Loads dropped DLL 4 IoCs
pid Process 3488 uc_ctrl.exe 3488 uc_ctrl.exe 3488 uc_ctrl.exe 3488 uc_ctrl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc_ctrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1760 ipconfig.exe 3784 ipconfig.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe Token: 33 1372 mmc.exe Token: SeIncBasePriorityPrivilege 1372 mmc.exe Token: 33 1372 mmc.exe Token: SeIncBasePriorityPrivilege 1372 mmc.exe Token: SeDebugPrivilege 3488 uc_ctrl.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 1372 mmc.exe 1372 mmc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1160 wrote to memory of 2560 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 87 PID 1160 wrote to memory of 2560 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 87 PID 2560 wrote to memory of 1760 2560 cmd.exe 89 PID 2560 wrote to memory of 1760 2560 cmd.exe 89 PID 1160 wrote to memory of 2532 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 90 PID 1160 wrote to memory of 2532 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 90 PID 1160 wrote to memory of 3520 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 92 PID 1160 wrote to memory of 3520 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 92 PID 3520 wrote to memory of 1764 3520 cmd.exe 94 PID 3520 wrote to memory of 1764 3520 cmd.exe 94 PID 3520 wrote to memory of 3444 3520 cmd.exe 95 PID 3520 wrote to memory of 3444 3520 cmd.exe 95 PID 3520 wrote to memory of 264 3520 cmd.exe 96 PID 3520 wrote to memory of 264 3520 cmd.exe 96 PID 1160 wrote to memory of 392 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 97 PID 1160 wrote to memory of 392 1160 ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe 97 PID 1372 wrote to memory of 3488 1372 mmc.exe 100 PID 1372 wrote to memory of 3488 1372 mmc.exe 100 PID 1372 wrote to memory of 3488 1372 mmc.exe 100 PID 3488 wrote to memory of 2276 3488 uc_ctrl.exe 106 PID 3488 wrote to memory of 2276 3488 uc_ctrl.exe 106 PID 3488 wrote to memory of 2276 3488 uc_ctrl.exe 106 PID 2276 wrote to memory of 3784 2276 cmd.exe 108 PID 2276 wrote to memory of 3784 2276 cmd.exe 108 PID 2276 wrote to memory of 3784 2276 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe"C:\Users\Admin\AppData\Local\Temp\ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1760
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\Users\Public\Documents\hVWPd.xml2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\3buSA.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:1764
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:3444
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Documents\WVhHt\0OIfS~y\p+C:\Users\Public\Documents\WVhHt\0OIfS~y\w C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_guilib.dll2⤵PID:392
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe"C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3784
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
179KB
MD59345c5ed7eca7c83976a2cb7d9cc45ef
SHA175cc5aa8fb802c78641e3b443dcbabbc16c25d41
SHA25667c3ea60b6d231be9c0661303fa19622af59f0ebd61adaf1e7792b71398fead6
SHA5120ec6af801001e53e6c4e4f7bfcb1c4e603211b36a515818e41cdfa1824934a094a38b52f1de729bc29e264d93d1c5418ddb2d66146a967166a7620839f9dbe65
-
Filesize
429KB
MD51d8c79f293ca86e8857149fb4efe4452
SHA17474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA51283c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1
-
Filesize
179KB
MD52d69df63c2db27a90ae4e93e040a1ccd
SHA174478e079a295d47cffffd084c7c1369901d9883
SHA256c14e5fb87ceb38161c192305b21e69d10123ee0d9653e1cbd2bcfb1f6727ee7c
SHA512722b8085891aa7a02670bd88fdb5952ac8ea4e9f87a7704cd21c62546690523c61436a2dfd4a42a47da5b417c7be6f22af8618c1598dafac24170235027feda1
-
Filesize
1.3MB
MD535be128bd588225161c645a210e4f0e2
SHA1368761a3202441befea1535e9234b24f7ed634f9
SHA256ea4795afbdfe57e69e180a76c141055c1e5620c0b28d53448362e540c721f721
SHA512d00e7c0d7a32bf8cafd997e5db5e3bc211824c4148920bed3b28453477ddfa054da5c72ce6638e33aa6c0742d113ca1c249d3f6af1d4acc2768ded6ec4b870be
-
Filesize
97KB
MD58aa07b7c6c632f4edf07a0e2b91f8566
SHA12e72d725a845b532c19a422fb32deb629f53c824
SHA256dd8bfbb25430e7f19e24234494324264be98ac0cc20b239e18b4dd35e26ec1bc
SHA512a9b3eb0b0eafc53ace21e30c12ccb64b9fc152cdf52a4a2c0b395dc6f9d20181b3006dce14a16226df9010a68673bb71656d8a95ac0597a12d05c99d15e3f909
-
Filesize
2.7MB
MD55730626b6eb0ddaeaf62989207c47f92
SHA1144eee1ef279daa6bf09e24e678b9d4d965e5cab
SHA256cf967d3e57770aabcb718d723d3625a1a3adc9f5291e5c668cf8db4e35110b3c
SHA512c0746c96264e0f62d4f93f283006af3059fee8ec28b5ca493af310968f0e6af9d051cefdca08e0474a03badf805e3e244b705351317c2adef95f26cb2dd5fb75
-
Filesize
83KB
MD5b77eeaeaf5f8493189b89852f3a7a712
SHA1c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3
-
Filesize
1.3MB
MD5f7ea5667ec13663b2c82808e553d862c
SHA1d411f7d71f82fea0176a614f42d7c9dd750f9eab
SHA256cc1c96ca2f1f329d79d09e3e7f0ba29ccf6a80567ed58435ab4696371a12e694
SHA512f182b665c9b5b9a1ffcf9c798030bfacc732971e41be5badf8def8212fd1786f55160ec5bc7d00a90b57cdf4e091b2ad534e6a94abb28ab9d2f9003963678b4d