Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 20:32

General

  • Target

    ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe

  • Size

    5.0MB

  • MD5

    ddc993fe772d6df1656c22b6c0ea2df7

  • SHA1

    489599ffda5275896dfd4347ee68087bb54c13a1

  • SHA256

    ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3

  • SHA512

    5bfbd095eeb8616b05628863acb4f7e58ccf7f24f75e749e4f03206c1c1eb8df794da6f5dbf658f64e5860f15849bae9a5c43386d11595687e8da002f9dc8804

  • SSDEEP

    98304:xc00zuLKe+anb7LVsmSas1+YRg74gxoD88kFCHyDcb3:xc00zuLKC7SasBS74D8pCHyg7

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
    "C:\Users\Admin\AppData\Local\Temp\ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:1760
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Documents\hVWPd.xml
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      PID:2532
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\3buSA.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:1764
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:3444
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:264
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Documents\WVhHt\0OIfS~y\p+C:\Users\Public\Documents\WVhHt\0OIfS~y\w C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_guilib.dll
      2⤵
        PID:392
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe
        "C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /all
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /all
            4⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:3784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\3buSA.bat

      Filesize

      392B

      MD5

      30d6eb22d6aeec10347239b17b023bf4

      SHA1

      e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

      SHA256

      659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

      SHA512

      500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\LH.TXT

      Filesize

      179KB

      MD5

      9345c5ed7eca7c83976a2cb7d9cc45ef

      SHA1

      75cc5aa8fb802c78641e3b443dcbabbc16c25d41

      SHA256

      67c3ea60b6d231be9c0661303fa19622af59f0ebd61adaf1e7792b71398fead6

      SHA512

      0ec6af801001e53e6c4e4f7bfcb1c4e603211b36a515818e41cdfa1824934a094a38b52f1de729bc29e264d93d1c5418ddb2d66146a967166a7620839f9dbe65

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\MSVCP140.dll

      Filesize

      429KB

      MD5

      1d8c79f293ca86e8857149fb4efe4452

      SHA1

      7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

      SHA256

      c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

      SHA512

      83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\NH.txt

      Filesize

      179KB

      MD5

      2d69df63c2db27a90ae4e93e040a1ccd

      SHA1

      74478e079a295d47cffffd084c7c1369901d9883

      SHA256

      c14e5fb87ceb38161c192305b21e69d10123ee0d9653e1cbd2bcfb1f6727ee7c

      SHA512

      722b8085891aa7a02670bd88fdb5952ac8ea4e9f87a7704cd21c62546690523c61436a2dfd4a42a47da5b417c7be6f22af8618c1598dafac24170235027feda1

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\p

      Filesize

      1.3MB

      MD5

      35be128bd588225161c645a210e4f0e2

      SHA1

      368761a3202441befea1535e9234b24f7ed634f9

      SHA256

      ea4795afbdfe57e69e180a76c141055c1e5620c0b28d53448362e540c721f721

      SHA512

      d00e7c0d7a32bf8cafd997e5db5e3bc211824c4148920bed3b28453477ddfa054da5c72ce6638e33aa6c0742d113ca1c249d3f6af1d4acc2768ded6ec4b870be

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe

      Filesize

      97KB

      MD5

      8aa07b7c6c632f4edf07a0e2b91f8566

      SHA1

      2e72d725a845b532c19a422fb32deb629f53c824

      SHA256

      dd8bfbb25430e7f19e24234494324264be98ac0cc20b239e18b4dd35e26ec1bc

      SHA512

      a9b3eb0b0eafc53ace21e30c12ccb64b9fc152cdf52a4a2c0b395dc6f9d20181b3006dce14a16226df9010a68673bb71656d8a95ac0597a12d05c99d15e3f909

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_guilib.dll

      Filesize

      2.7MB

      MD5

      5730626b6eb0ddaeaf62989207c47f92

      SHA1

      144eee1ef279daa6bf09e24e678b9d4d965e5cab

      SHA256

      cf967d3e57770aabcb718d723d3625a1a3adc9f5291e5c668cf8db4e35110b3c

      SHA512

      c0746c96264e0f62d4f93f283006af3059fee8ec28b5ca493af310968f0e6af9d051cefdca08e0474a03badf805e3e244b705351317c2adef95f26cb2dd5fb75

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\vcruntime140.dll

      Filesize

      83KB

      MD5

      b77eeaeaf5f8493189b89852f3a7a712

      SHA1

      c40cf51c2eadb070a570b969b0525dc3fb684339

      SHA256

      b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

      SHA512

      a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

    • C:\Users\Public\Documents\WVhHt\0OIfS~y\w

      Filesize

      1.3MB

      MD5

      f7ea5667ec13663b2c82808e553d862c

      SHA1

      d411f7d71f82fea0176a614f42d7c9dd750f9eab

      SHA256

      cc1c96ca2f1f329d79d09e3e7f0ba29ccf6a80567ed58435ab4696371a12e694

      SHA512

      f182b665c9b5b9a1ffcf9c798030bfacc732971e41be5badf8def8212fd1786f55160ec5bc7d00a90b57cdf4e091b2ad534e6a94abb28ab9d2f9003963678b4d

    • memory/1160-38-0x0000000180000000-0x000000018020A000-memory.dmp

      Filesize

      2.0MB

    • memory/1160-0-0x0000000180000000-0x000000018020A000-memory.dmp

      Filesize

      2.0MB

    • memory/1160-3-0x0000000180000000-0x000000018020A000-memory.dmp

      Filesize

      2.0MB

    • memory/1160-2-0x0000000180000000-0x000000018020A000-memory.dmp

      Filesize

      2.0MB

    • memory/1160-17-0x0000000180000000-0x000000018020A000-memory.dmp

      Filesize

      2.0MB

    • memory/3488-28-0x00000000027C0000-0x0000000002829000-memory.dmp

      Filesize

      420KB

    • memory/3488-29-0x00000000027C0000-0x0000000002829000-memory.dmp

      Filesize

      420KB

    • memory/3488-30-0x00000000027C0000-0x0000000002829000-memory.dmp

      Filesize

      420KB

    • memory/3488-39-0x00000000027C0000-0x0000000002829000-memory.dmp

      Filesize

      420KB

    • memory/3488-41-0x00000000027C0000-0x0000000002829000-memory.dmp

      Filesize

      420KB

    • memory/3488-40-0x00000000027C0000-0x0000000002829000-memory.dmp

      Filesize

      420KB