Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
14-10-2024 05:03
General
-
Target
99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe
-
Size
5.4MB
-
MD5
d2ecf5f2a271da094867f6dc31b3d60e
-
SHA1
b8b7ec24a5c6f1a0ad96e989003516b656256d2e
-
SHA256
99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1
-
SHA512
9b6f1a5ccf1c7312cf0a7bcbf253516d8ae9f56cc5408d6fd209e0bc26eca9237b6fed0fddd94746bba14c4f5560f279cf933647facf31a77762e05f66ff365d
-
SSDEEP
49152:wDShb1KwGF4Ilow5sADndfK0IptgSoP6MRM2BTXwmlPJmqHc4h/:VQK0/lX9PJhHc
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 10 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
cURL User-Agent 1 IoCs
Uses User-Agent string associated with cURL utility.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exeC:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "C:\Users\Admin\AppData\Local\Temp\6ubvens81hg0efj8gt9bi.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\n70wl5eqdspf162f780ukei9rx.exe"C:\Users\Admin\AppData\Local\Temp\n70wl5eqdspf162f780ukei9rx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\2aua4a3z2ubye9ypmjm3splr56.exe"C:\Users\Admin\AppData\Local\Temp\2aua4a3z2ubye9ypmjm3splr56.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /F /FI "SERVICES eq RDP-Controller"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\sc.exesc.exe stop RDP-Controller4⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore4⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc.exe failure RDP-Controller reset= 1 actions= restart/100004⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc.exe start RDP-Controller4⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\icacls.exeicacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-184⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\icacls.exeicacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe"C:\Users\Admin\AppData\Local\Temp\99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeC:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5268b890dae39e430e8b127909067ed96
SHA135939515965c0693ef46e021254c3e73ea8c4a2b
SHA2567643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c
SHA512abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb
-
Filesize
1KB
MD582dd84ce50363d5c323f869d25090003
SHA1dd567cec77803375b0029477e8c462574189c867
SHA256e0dd4c18e02eb4f15e5dc7a406cf495816f8139b6e8c5411981e85c2636ff239
SHA512c3ea403aad797b9c144a4c1ab3b32a0d7f002bd5845a3dc8282d91df37e7cad458c6baea7c8f9f622d3c5e3cd8cd000025ad582afae2c52c2da76c3bb026871c
-
Filesize
1KB
MD5e72b361033a66e9af3423186504dd1b7
SHA19855b38ceaa0db31aca5398e5a8a702b3488b2aa
SHA2564bc8c6da07173a37858bce225d0787b5d38837f4526834848836abe0916f1c3b
SHA512bf321b1756117df219d689b59cedeed0de484266da7a1bc7a7bada57de5b6bbef35fbd0cd25c5d370a1022bb1cd59671c2af5033d659bb97482e9d8368920658
-
Filesize
10.1MB
MD57d1755e8e41a6c2f08d2faeffdf9dad1
SHA1c04d89f1054f2ee34b548126a5add4eee4751ae4
SHA25644cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5
SHA512b099238838b0d8b258529126b3c279ac735feff778d52c3117eb3cd587267a145a09bc1317fb412b2c810ea8b2232a8218fe459e33ac99f9b48decfdc62e4816
-
Filesize
259B
MD5261a842203adb67547c83de132c7a076
SHA16c1a1112d2797e2e66aa5238f00533cd4eb77b3d
SHA25649adf0fc74600629f12adf366ecbacdff87b24e7f2c8dea532ea074690ef5f84
SHA5127787c5f10ec18b8970f22b26f5bb82c4a299928edb116a0b92fb000f2a141ccb4c8bcab3ab91d5e3277abda8f2d6fe80434e4aef5ee8a5cd3223cfb9989a6337
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
96KB
MD5319865d78cc8df6270e27521b8182bff
SHA1716e70b00aa2d154367028de896c7d76c9d24350
SHA256a78945e7532ecdb29b9448a1f3eef2f45ec2f01ca070b9868258cbcd31eac23f
SHA51278cd48c8ba558dffc204a70dbff13889984f80f268a715fec7fc018a7718a11822975f775d44a927c5815aa2ccc0d78502264354bf5d8c0502b5a0a323948611
-
Filesize
456B
MD540ab00517f4227f2c3c334f1d16b65b4
SHA1f8d57af017e2209b4fb24122647fd7f71b67c87c
SHA2564baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85
SHA51275d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3
-
Filesize
1KB
MD5361d8c58b3013350c66238a62f8fe93c
SHA16a78fbf45f4850baed26c22f215cb234da371de2
SHA256d5539137e6dae9cf0f38fda778086810e70dc1d536e7dedc7abd91230988d62a
SHA512b6aa58cddb683b9c87ce3d0ad3cc532daea81b6aeaae675611a36b0e44215e7c0b85207cef905a8982d820791fd4499ae1be6264d87ddf6f4045289623603326
-
Filesize
214B
MD526702faab91b6b144715714a96728f39
SHA1cbdc34fc8fd3559cd49475fb5bc76176a5f88ff8
SHA25683d30846dd5576de38a512b17163419d22ff35f2f5b0fe613c401e8a5a25b7a4
SHA51250d35d3dcd60b6e57c1a277e6c3e7afbb5c2b46425732fc5a9fd3c0a55febf5ab3f05411a83cec230aac40199774ff78f30848d57d1e04a11b9e60777b038289
-
Filesize
102KB
MD57a8e8a0842d8d65713dee5393e806755
SHA1af6f3a52009fbf62c21a290efc34a94c151b683e
SHA25651c131081921626d22faf44977d5e4dcfe00e5d6cddeda877a82f13631be7c2e
SHA512d1b8d93b7efbeaa348d3a01293ad5d92bc8f28eb2554df5e6e71506d00d135390082c52c18d0bc3f0439b068777d8b2c43aaed930c72e5ffab2593eeac470cf4
-
Filesize
90KB
MD5fdcf93acd089b505b524ddfa0ff947f9
SHA1a2bada5807ba001758dbce46da634332a5cc14c2
SHA256adfe373f98cabf338577963dcea279103c19ff04b1742dc748b9477dc0156bb4
SHA512110455dc5c3f090a1341ee6d09d9b327cd03999c70d4a2c0b762b91bc334b0448e750cb1fd7b34ce729b8e1cd33b55a4e1fa1187586c2ff8850b2fd907afe03e
-
Filesize
8KB
MD527535cee6740dfc50a78a0322415e67c
SHA1e80541cf15c8ed4c5eeda8d8c24674a5b8a27f61
SHA256fb0cdbf4e0215ae1866e97860c2ac3dd96e7498bfe2af3d82378041cdff7f292
SHA51225f11a8262b5a2f59bd6c9d8673b5ad5a140eae8c007244810b2924eb08b5cf54ae19e61be5139319877278d11868bbd85bd2e6c67f5fad4e2a458e2844ebc0c
-
Filesize
60KB
MD5688fdfae15f328a84e8f19f8f4193af2
SHA1c65d4cda0c93b84154dfbc065ae78b9e2f7ecfa8
SHA2568d37ff2458fde376a41e9e702a9049ff89e78b75669c0f681cfcafba9d49688e
SHA512f19bc7f204dbe3449abe9494bfff8be632f20f1b4b8272f0af71c4cec344a20617c0909c024cb4a4e0c6b266d386cb127554dc70f3a6aa7a81daf1a8748f5d2d
-
Filesize
80B
MD53778a0d548fdaa806d50a2fda2d367a7
SHA1bfa0e4ee5460668448d063113009c50ab989af2c
SHA2567d15968e01fcce71f79383f39118a0fc103c3b4bf074a47328f763c08a6bd916
SHA512103d95c301255a21da197c771556236f7841d6ebc22d588db044c155108ddfbc1545001e0b8956199de118dce980e82b51d8949ac2604e2a5625d90e7a096126
-
Filesize
720B
MD5ceca01f46b2f906982b9c72b340de8c1
SHA15ca29a05df7ad4dac8fc28e0b910375066f0831c
SHA256657e669cc1e7be5fa29bd4bb33ab044b382f1480a249c501e30abb2221d2160a
SHA51269fd69814000b989d0d259ec0c2b8d42575120d8d7087c47c22484368a6818f338d2313d3dcc32e71f9406bbfbd4a23c1acd274306957a8e7c5197984608bb02
-
Filesize
455B
MD51847a79548a3c37bc5441cbaebf14bce
SHA1916ac49a08a1ccbc6a9b70c15b4061bccc355fba
SHA256925088e1a7df2365b47e55746afd241da409ee6534efdc9bfe56572c40e0196f
SHA51244804c38c08749650814231097cbd0090f39aa806a0ae9093b2d6a5dd024b5630ce2bab3eddf61ce52d67a38fa0cd3d9a9f01a06076ba1ddc1ae59cca63f22a0
-
Filesize
96B
MD50bf35ab0a8a638c8a449469d988faf53
SHA1448f03b12436cc2b81a71cd9758c8e7ff9c6c652
SHA256e7bb4a8b3f2e0fcc0e478835aed5cfd755d9b37d64321e9b1235a5c73ba93781
SHA512f61c954832bb53c751cfa01e61498db0d5c4e97497b26533a2b42aeab7a60c5779e8ba60908fa79ccd0811bf9854cab2ff32fc62fad259e8d08e291a73fac0aa
-
Filesize
8.7MB
MD5676064a5cc4729e609539f9c9bd9d427
SHA1f77ba3d5b6610b345bfd4388956c853b99c9eb60
SHA25677d203e985a0bc72b7a92618487389b3a731176fdfc947b1d2ead92c8c0e766b
SHA5124c876e9c1474e321c94ea81058b503d695f2b5c9dca9182c515f1ae6de065099832fd0337d011476c553958808c7d6f748566734deee6af1e74b45a690181d02
-
Filesize
87KB
MD54e320e2f46342d6d4657d2adbf1f22d0
SHA1a5acfe6397dffc61d243206885c389ea05428755
SHA2567d4a26158f41de0bfd7e76d99a474785957a67f7b53ee8ad376d69abc6e33cc8
SHA512e8e044fd17b36d188bb5ee8e5f7bfc9aecc01ab17e954d6996b900bc60d6d57afd782c7e01df7cc76a84e04ce16f77fe882f2d86e5113f25c1c3d385cfae37a5
-
Filesize
12KB
MD5cc01968302bb1f65a28011f294df1aaa
SHA1e34add943e30ea4f236e273dfe3a3316e1cc0efb
SHA256384acdc4529d4c70aeb10e5b10e5c3199b2868f2460a5d9b27c388306ec0e634
SHA51289528df12f76ea6b2c62824808b53b30078e2d7835ec1e367a18a9e917e35861df7370a5eeaf8b10cfb6a6988152714b0841c791b704502ea3e0c51604e677f5
-
Filesize
103KB
MD591a0dd29773fbfb7112c5fcff1873c13
SHA1e1eaf1efb134caa7da5aaa362830a68ab705c023
SHA256ae2d023ebbfeefd5a26eaa255ad3862c9a1c276bb0b46ff88ea9a9999406d6b6
SHA512f7a665a218bb2ccec32326b0e0a9845b2981f17445b5cb54bba7d6ef9e200b4538ebd19916c2dacb0bbe1b409c14a499b23ba707874ae1f1b154279c90dc33dd
-
Filesize
126KB
MD5c89542aba45ce1084760ae8de6eae09e
SHA1603560a3e4b6a8cb906ca98c907373adbf4d3b1c
SHA2561b6e559dc0cb37ebb2311c7cbf01b039f0dc1c3ec6da057837451a531b1e2cb0
SHA51260a0eb698afe25cdddb133fc937fee478f1e0f8af72b825c19bb2d544fafcc217babf6dd3d01704a106677e92aae3dd57538e34731c950da17f5715df0732ff6
-
Filesize
36KB
MD5e3e4492e2c871f65b5cea8f1a14164e2
SHA181d4ad81a92177c2116c5589609a9a08a5ccd0f2
SHA25632ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30
SHA51259de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6
-
Filesize
113KB
MD5d0f0423aeee6b6ff6754d860603d46d0
SHA1a06f3b9605b3398ba68154da39adf26ddee41743
SHA25681da68f52df2ed997c374ccbefc56849650770fb30eda8f202bbc7fc3fe6a51d
SHA512c30faede4520ff1c859b8b39e351112cfc60daeca98b1359f9f86ab79bcfb996ba84f35a5b178b4abec66152864720e58f741ae13d06b64913e240a1f9e6a633
-
Filesize
89KB
MD54c086c8f48c4d0f8c20410e60340aec9
SHA177481360a98f3018f92a57b66e1dc7a6ec0dd0e8
SHA2560a8fcb54df736100f5792b6ce57ae165553712cb1e5701e4e0dd7620e6089f59
SHA512cdbcc2fd4195a6fa5a343234a745e3e7a558f68a496d376fdf6a86d585c9fa39a64f0ceb20a2d2e6e30e59ba46f62493e500d6eeb033fa981daa60f00ee42f14
-
Filesize
431KB
MD55fcb4b6362e04a8d1c6ecd33ad246fb9
SHA1e198d3e81c4b8527451133bceafa799d2115a8bb
SHA256060ee1bcb5817709f2d73bb1762c5abca09faf5271e8f90503a84f9657ecdcd9
SHA512b5839d79d1a34da86ba9b34a9105f7cc05e642c99d84d55e3e88833544dce9fdd840f7abf0f09cd4470734f24ca7c600c3c64e4041a4481806590d3b7a6a032d
-
Filesize
10.0MB
MD5312704a6232d74733de04c6e00f8cf21
SHA12b4820ac82c5b851464d6563fa6ea0cb3e3629c2
SHA2568d11890f2b70ba2abb4b017b05f3bb1d20eca6ad3eb84f0251e0857c77682c9b
SHA5125c32b9a8267c57ce640e7612bdecd7d7ec67f4e0ab48dd97a53373d220765ab234bc28779f524e788e1e03d8857ccd7755a22f19e1a34ae36fd6f33444016f01
-
Filesize
112KB
MD5be6174ae2b452da9d00f9c7c4d8a675b
SHA10abd2c76c82416ae9c30124c43802e2e49c8ed28
SHA256a62bdf318386aaab93f1d25144cfbdc1a1125aaad867efc4e49fe79590181ebf
SHA5125631b1595f8cee8c0dfa991852259fee17ea8b73a9eed900a10450bbb7c846acfc88c32930be379d60efa6ae1bbbead0a605a9f36e20129b53bca36b13ba5858
-
Filesize
5.5MB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
148KB
-
Filesize
124KB
-
Filesize
148KB
-
Filesize
128KB
-
Filesize
8.8MB
-
Filesize
128KB
-
Filesize
148KB
-
Filesize
140KB
-
Filesize
128KB
-
Filesize
144KB
-
Filesize
8.8MB
-
Filesize
160KB
-
Filesize
472KB
-
Filesize
136KB
-
Filesize
10.2MB
-
Filesize
128KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
5.5MB
-
Filesize
240KB