468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f

General

Target

468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
Size

4.2MB
MD5

cfb913a71362724623058dc178389483
SHA1

d9727d0b94fc8891eb6dab6a3ef33228c1ac9168
SHA256

468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f
SHA512

33c69dcc2308d41c5e66eff74318bb38d3c1a89a43076ce6285900f6426d8d0510d7f7b8d299a8b872ec69224feaebeb0d0fc0f9c35db990c8e269089d4c7a9c
SSDEEP

98304:Oc6IHvOwiGrbRzpNA08dRIR3VxYQtYy4HUStq1Ds0L2EFSWP1ngot7J:16IHGNGrbRzbA08UVVxYiYy6US0Ds02C

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\uafzxqt.sys	kill.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\raseftzs\ImagePath = "system32\\drivers\\uafzxqt.sys"	kill.exe

Executes dropped EXE 1 IoCs

pid	Process
2584	kill.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-7-0x0000000000400000-0x00000000006B4000-memory.dmp	upx
behavioral1/files/0x0008000000016ae9-5.dat	upx
behavioral1/memory/2584-14-0x0000000000400000-0x00000000006B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosts.exe"	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\System32\\svchosts.exe"	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Cleanup = "C:\\cleanup.exe"	kill.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchosts.exe	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
File created	C:\Windows\SysWOW64\MT_3001274.txt	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avmifd.txt	kill.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2604	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2584	kill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	kill.exe
2584	kill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2584	2604	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe	29
PID 2604 wrote to memory of 2584	2604	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe	29
PID 2604 wrote to memory of 2584	2604	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe	29
PID 2604 wrote to memory of 2584	2604	468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe	29

C:\Users\Admin\AppData\Local\Temp\468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe
"C:\Users\Admin\AppData\Local\Temp\468a8314386d384a45e3d8630659754b011435a13265ef04b018efb0b245de2f.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2604
- \??\c:\kill.exe
  c:\kill.exe /nogui c:\Metendo.txt
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\cleanup.bat

Filesize
574B

MD5
f729045a51896f374fee1ab23eb8fe7f

SHA1
62890664667b1f3361eadf1d7c4bf61ae0477370

SHA256
40bf96d24a051c9fd666c603e29ce70e1dab97feea0406fd32a167bb44c2c8c6

SHA512
40b7fd24237046761700364e4d3be4fff69913862385d1833d43430a90b0b90ca0762b8c971bda16ec8c6c936f344a5898375212b25073ae2f9e7932efac9c36

Download Submit
C:\kill.exe

Filesize
714KB

MD5
30f3680e007d924960fd65524de36601

SHA1
23f1e67e28052188432d2031335a79cb5ae72a8f

SHA256
6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7

SHA512
33323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a

Download Submit
C:\zip.exe

Filesize
132KB

MD5
db9b1cc34b35136f35e333de520c15f5

SHA1
538bc7ab67c44c44e998bac022fefdddbaa1976f

SHA256
f192a871ed2e942275aa3629351c08eb8383dedec7c10024fda9b642633685e1

SHA512
c4e48ed3691c6396a8e2829718276edf12d5537d007266ae796b8089f0967bb0659b2fbc757ed9b36e88a2a1d5e5f22f7b8f675396982d01fe5fcfb91ffda580

Download Submit
\??\c:\Metendo.txt

Filesize
1KB

MD5
081532d105975efce297526bbe74be57

SHA1
24f47f629af6315d18fe7a9ea18aa185c4482fba

SHA256
de890effdb6f8b9b1d350145ecbeac5a12faa4249aa7c815eed0d5b3915c785a

SHA512
4e005dfa47b20c10f0c24e41a70c7c57c6d71028d084009022ea32bb323acf2c9e8dc134278788d93fdba4f7741aeabac9a1e6da0888c5afe64b1f950591a839

Download Submit
memory/2584-7-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2584-14-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2604-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2604-6-0x0000000005710000-0x00000000059C4000-memory.dmp

Filesize
2.7MB

Download
memory/2604-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2604-18-0x0000000005710000-0x00000000059C4000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads