ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
Size

5.0MB
MD5

ddc993fe772d6df1656c22b6c0ea2df7
SHA1

489599ffda5275896dfd4347ee68087bb54c13a1
SHA256

ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3
SHA512

5bfbd095eeb8616b05628863acb4f7e58ccf7f24f75e749e4f03206c1c1eb8df794da6f5dbf658f64e5860f15849bae9a5c43386d11595687e8da002f9dc8804
SSDEEP

98304:xc00zuLKe+anb7LVsmSas1+YRg74gxoD88kFCHyDcb3:xc00zuLKC7SasBS74D8pCHyg7

Score

10^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	uc_ctrl.exe

Loads dropped DLL 4 IoCs

pid	Process
3488	uc_ctrl.exe
3488	uc_ctrl.exe
3488	uc_ctrl.exe
3488	uc_ctrl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uc_ctrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1760	ipconfig.exe
3784	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
Token: 33	1372	mmc.exe
Token: SeIncBasePriorityPrivilege	1372	mmc.exe
Token: 33	1372	mmc.exe
Token: SeIncBasePriorityPrivilege	1372	mmc.exe
Token: SeDebugPrivilege	3488	uc_ctrl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
1372	mmc.exe
1372	mmc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2560	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	87
PID 1160 wrote to memory of 2560	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	87
PID 2560 wrote to memory of 1760	2560	cmd.exe	89
PID 2560 wrote to memory of 1760	2560	cmd.exe	89
PID 1160 wrote to memory of 2532	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	90
PID 1160 wrote to memory of 2532	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	90
PID 1160 wrote to memory of 3520	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	92
PID 1160 wrote to memory of 3520	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	92
PID 3520 wrote to memory of 1764	3520	cmd.exe	94
PID 3520 wrote to memory of 1764	3520	cmd.exe	94
PID 3520 wrote to memory of 3444	3520	cmd.exe	95
PID 3520 wrote to memory of 3444	3520	cmd.exe	95
PID 3520 wrote to memory of 264	3520	cmd.exe	96
PID 3520 wrote to memory of 264	3520	cmd.exe	96
PID 1160 wrote to memory of 392	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	97
PID 1160 wrote to memory of 392	1160	ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe	97
PID 1372 wrote to memory of 3488	1372	mmc.exe	100
PID 1372 wrote to memory of 3488	1372	mmc.exe	100
PID 1372 wrote to memory of 3488	1372	mmc.exe	100
PID 3488 wrote to memory of 2276	3488	uc_ctrl.exe	106
PID 3488 wrote to memory of 2276	3488	uc_ctrl.exe	106
PID 3488 wrote to memory of 2276	3488	uc_ctrl.exe	106
PID 2276 wrote to memory of 3784	2276	cmd.exe	108
PID 2276 wrote to memory of 3784	2276	cmd.exe	108
PID 2276 wrote to memory of 3784	2276	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe
"C:\Users\Admin\AppData\Local\Temp\ca3ef6aa3d48739458f3446ac188ff1dc7f3ce6ff8816eb73ddfa6f2d305d3d3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1760
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Documents\hVWPd.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\3buSA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:1764
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:3444
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Documents\WVhHt\0OIfS~y\p+C:\Users\Public\Documents\WVhHt\0OIfS~y\w C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_guilib.dll
  2⤵
  PID:392

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe
  "C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3buSA.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\LH.TXT

Filesize
179KB

MD5
9345c5ed7eca7c83976a2cb7d9cc45ef

SHA1
75cc5aa8fb802c78641e3b443dcbabbc16c25d41

SHA256
67c3ea60b6d231be9c0661303fa19622af59f0ebd61adaf1e7792b71398fead6

SHA512
0ec6af801001e53e6c4e4f7bfcb1c4e603211b36a515818e41cdfa1824934a094a38b52f1de729bc29e264d93d1c5418ddb2d66146a967166a7620839f9dbe65

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\NH.txt

Filesize
179KB

MD5
2d69df63c2db27a90ae4e93e040a1ccd

SHA1
74478e079a295d47cffffd084c7c1369901d9883

SHA256
c14e5fb87ceb38161c192305b21e69d10123ee0d9653e1cbd2bcfb1f6727ee7c

SHA512
722b8085891aa7a02670bd88fdb5952ac8ea4e9f87a7704cd21c62546690523c61436a2dfd4a42a47da5b417c7be6f22af8618c1598dafac24170235027feda1

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\p

Filesize
1.3MB

MD5
35be128bd588225161c645a210e4f0e2

SHA1
368761a3202441befea1535e9234b24f7ed634f9

SHA256
ea4795afbdfe57e69e180a76c141055c1e5620c0b28d53448362e540c721f721

SHA512
d00e7c0d7a32bf8cafd997e5db5e3bc211824c4148920bed3b28453477ddfa054da5c72ce6638e33aa6c0742d113ca1c249d3f6af1d4acc2768ded6ec4b870be

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_ctrl.exe

Filesize
97KB

MD5
8aa07b7c6c632f4edf07a0e2b91f8566

SHA1
2e72d725a845b532c19a422fb32deb629f53c824

SHA256
dd8bfbb25430e7f19e24234494324264be98ac0cc20b239e18b4dd35e26ec1bc

SHA512
a9b3eb0b0eafc53ace21e30c12ccb64b9fc152cdf52a4a2c0b395dc6f9d20181b3006dce14a16226df9010a68673bb71656d8a95ac0597a12d05c99d15e3f909

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\uc_guilib.dll

Filesize
2.7MB

MD5
5730626b6eb0ddaeaf62989207c47f92

SHA1
144eee1ef279daa6bf09e24e678b9d4d965e5cab

SHA256
cf967d3e57770aabcb718d723d3625a1a3adc9f5291e5c668cf8db4e35110b3c

SHA512
c0746c96264e0f62d4f93f283006af3059fee8ec28b5ca493af310968f0e6af9d051cefdca08e0474a03badf805e3e244b705351317c2adef95f26cb2dd5fb75

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Public\Documents\WVhHt\0OIfS~y\w

Filesize
1.3MB

MD5
f7ea5667ec13663b2c82808e553d862c

SHA1
d411f7d71f82fea0176a614f42d7c9dd750f9eab

SHA256
cc1c96ca2f1f329d79d09e3e7f0ba29ccf6a80567ed58435ab4696371a12e694

SHA512
f182b665c9b5b9a1ffcf9c798030bfacc732971e41be5badf8def8212fd1786f55160ec5bc7d00a90b57cdf4e091b2ad534e6a94abb28ab9d2f9003963678b4d

Download Submit
memory/1160-38-0x0000000180000000-0x000000018020A000-memory.dmp

Filesize
2.0MB

Download
memory/1160-0-0x0000000180000000-0x000000018020A000-memory.dmp

Filesize
2.0MB

Download
memory/1160-3-0x0000000180000000-0x000000018020A000-memory.dmp

Filesize
2.0MB

Download
memory/1160-2-0x0000000180000000-0x000000018020A000-memory.dmp

Filesize
2.0MB

Download
memory/1160-17-0x0000000180000000-0x000000018020A000-memory.dmp

Filesize
2.0MB

Download
memory/3488-28-0x00000000027C0000-0x0000000002829000-memory.dmp

Filesize
420KB

Download
memory/3488-29-0x00000000027C0000-0x0000000002829000-memory.dmp

Filesize
420KB

Download
memory/3488-30-0x00000000027C0000-0x0000000002829000-memory.dmp

Filesize
420KB

Download
memory/3488-39-0x00000000027C0000-0x0000000002829000-memory.dmp

Filesize
420KB

Download
memory/3488-41-0x00000000027C0000-0x0000000002829000-memory.dmp

Filesize
420KB

Download
memory/3488-40-0x00000000027C0000-0x0000000002829000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads