605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482

Analysis

max time kernel
110s
max time network
86s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Size

860KB
MD5

a8a491947c74a7dfb9f00bca59a243e0
SHA1

d951464e7c0ec23617fb35f5ae622850f6a3e5d1
SHA256

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482
SHA512

b1c0b2248605b6e2195dac08173af551541dd50bbd86209450c6f2cfad6b7ad87ca3116cf95aadf5834f8d6a67a8caa53c905c1586be1d752b2b840bad2c974d
SSDEEP

24576:2LADaJYo8sYH4LaWhOIPqd5x43NXzofQWMSnmwrAtF19w6AYhqp:2ipTMSnU

Score

8^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2552 netsh.exe
2012 netsh.exe
1564 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2108 cmd.exe

pid	process
2552	netsh.exe
2012	netsh.exe
1564	netsh.exe

pid	process
2108	cmd.exe

Drops startup file 2 IoCs

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.lnk	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.lnk	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

Loads dropped DLL 1 IoCs

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid process

2676 605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid	process
2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.execmd.execmd.exenetsh.execmd.execmd.exenetsh.exe605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid process

2676 605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid process

2676 605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid process

2676 605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid	process
2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid	process
2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

pid	process
2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 876	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 876	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 876	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 876	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 876 wrote to memory of 2552	876	cmd.exe	netsh.exe
PID 876 wrote to memory of 2552	876	cmd.exe	netsh.exe
PID 876 wrote to memory of 2552	876	cmd.exe	netsh.exe
PID 876 wrote to memory of 2552	876	cmd.exe	netsh.exe
PID 2676 wrote to memory of 2432	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2432	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2432	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2432	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2432 wrote to memory of 2012	2432	cmd.exe	netsh.exe
PID 2432 wrote to memory of 2012	2432	cmd.exe	netsh.exe
PID 2432 wrote to memory of 2012	2432	cmd.exe	netsh.exe
PID 2432 wrote to memory of 2012	2432	cmd.exe	netsh.exe
PID 2676 wrote to memory of 2356	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2356	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2356	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2356	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2356 wrote to memory of 1564	2356	cmd.exe	netsh.exe
PID 2356 wrote to memory of 1564	2356	cmd.exe	netsh.exe
PID 2356 wrote to memory of 1564	2356	cmd.exe	netsh.exe
PID 2356 wrote to memory of 1564	2356	cmd.exe	netsh.exe
PID 2676 wrote to memory of 2984	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2984	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2984	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2984	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2108	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2108	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2108	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe
PID 2676 wrote to memory of 2108	2676	605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe
"C:\Users\Admin\AppData\Local\Temp\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\vyr8ba3215.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe" profile=All
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\xprf3e1fef6123ad.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\netsh.exe
netsh.exe firewall add allowedprogram PROGRAM="C:\Users\Admin\AppData\Local\Temp\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\unn534ab1f149e6295f3f5e.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe" profile=All
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\vyx83fce6cb2b0ad5f4ce49391.bat
2⤵
- System Location Discovery: System Language Discovery
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\vroc59fc56b.bat
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab40AA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4197.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\exitd.vxd

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\unn534ab1f149e6295f3f5e.bat

Filesize
264B

MD5
1938ee2ea4ef6892278b486874406dbd

SHA1
ebb0c6567f60a9927b40c1481aa83e889ba61f6b

SHA256
e5f96d96a0c4d7c6ebaeedee6c37d1bb87ace6c9278af208754f1cba243a23f2

SHA512
9b12d4ff5f34e44463c40a41b2af6ce167ebf8f7b1e187f130f3970678534e6fab9c2dfd781413d6f3c4152bf5cdbba378d40f35a250da3e739fcc119ac46f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\vroc59fc56b.bat

Filesize
1KB

MD5
3217c951af743a8f68ebc27adbf99dd0

SHA1
f907f09af2cb10ca4b9772e698a5af08f2107ab8

SHA256
54d46637c11036ef423d373cdd313fa178b09ce1fe2833c918e3d15125f6aae1

SHA512
230b205cd4c8820ebd562bacc47f3988005661ea9eb3a08b75733b17e62894e3dc98a86897c92f8e370be1d5bacf04111b03c7e751cf2ba88f61550b7e588258

Download Submit
C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\vyr8ba3215.bat

Filesize
251B

MD5
94341a777884df4e27b8166a79bd617a

SHA1
0e1b0fef089b60a726367981f2a94cf28a8436bc

SHA256
606a5f91a9c1af93a3ccc5705e8e81eb60d1b19f8272c46cbfb42eef5c8cfbcc

SHA512
8fef24325977d1c972b629a8865d6770bb629ba93d4ba61d429c2fb53473ab79d8241fc8bd1af818f0bab2224f7d870f20e8a0c6d82569086fa2c28cda4d1769

Download Submit
C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\vyx83fce6cb2b0ad5f4ce49391.bat

Filesize
300B

MD5
2d03ac42d69f14fc1b1aaebba60f9616

SHA1
018eb39958ce51de660bbdfdd3e16f35b5b2a8a6

SHA256
e50ddc260ffb7f94a8d6fa07e9d074ec60ee8b51145c6fb44bef74f9d1058e7a

SHA512
df48643020b1c12c0c4b6fcf20420451af353b788311eb38040a8d6cbfd774638d6752984785bae296a1434b1c4e50f811b1dd165b0989a538842586d301d820

Download Submit
C:\Users\Admin\AppData\Local\Temp\yop95b71cd8447cde0b45bd9c3\xprf3e1fef6123ad.bat

Filesize
291B

MD5
69fced56c306b9ffab652dfcd9d64498

SHA1
35247a8c63776ce484a5297064da78a4e7106eea

SHA256
b30a1fa6e62430ef52bf8d8bcbfde08cd8cfc1895ecdf6d6024c4daa70684e49

SHA512
2d471fee9313c462aa29b2e7f863bf1a54935ddc666bbefc4dc5c20046851273c8a4a51870e5388f595e474367bb2290e8651a935476bf3003f0e3296c80a017

Download Submit
C:\Users\Admin\vpsafe25e81c90a0bf666638ca\605cbd2c44e0f04716b233626c31907a8a3a451e25a9dc2e6b8939b3ee82f482N.exe

Filesize
860KB

MD5
6d0147e292dbc13c7d30328fd14f06bd

SHA1
2efd9af6fb66596fb47ba9c280877e6441b5438c

SHA256
2184ede0e3825b17529be43987584aa8f01ed68cfa8fbe273044e39d60131d68

SHA512
30fdf10aa34b55e62bdca9ed6fc0b84aaba8c4e0396de599ab46aa793b5dc9a4370a3b40fb018ab0b9d1fd2bb17224eafe78a58dd7c662ae38077a72df7d2fb2

Download Submit
C:\Users\Admin\vpsafe25e81c90a0bf666638ca\config\configure

Filesize
20B

MD5
b375c2aa338352d53c2924d8bc47fd1e

SHA1
6454e10a2b3be9efd46302784ee9ca7c832a0ccf

SHA256
ac74eca14a434c431d0c5fe5da5331dc2868c87fa5fd7ff8fb940f60d608ca31

SHA512
f04731b22c19dd930f94a8df86cf28f0acf48651034fd568fa75509134674c35e5f0a0371193272daa4f76a37cbe079cfccab93f15b23253f468f882274deb84

Download Submit
C:\Users\Admin\vpsafe25e81c90a0bf666638ca\config\name.drv

Filesize
24B

MD5
9aeb7158521b28efb887e75c02aa4fea

SHA1
63992e4ab8c7806c1c142df8bd66d3a4c7d551be

SHA256
4b30fd3ba7398a84eb9aafe0a9d37625e2e4047758d3085fb7fc8117ed8dcc10

SHA512
ae025e42c598444665a08df5ce8dfba5298317f966a683f39afa4e4de86908755e324e6aa15cc7cf9ef9de04c7192d6d3bdea8e60925c98f08bbfdd4602a0749

Download Submit
C:\Users\Admin\vpsafe25e81c90a0bf666638ca\config\script.txt

Filesize
610B

MD5
7789e3e782fe4d1baefb3a39fcbba03b

SHA1
7c8f1204eddc6997cc3ce4f9bfff477b6716ac19

SHA256
ecf36498860fcc69a2dd2a1164f5973cbfd48fd8d9708cb3e4c99b52d806936f

SHA512
fe77c4678cc6f828e3fe4a5204d248d7a5d122da088b224ba7d26b3ac9547c131120a02ba662d0d453cea98f43feae6f008cf6279b1914e84aab0f61f8614c81

Download Submit
C:\Users\Admin\vpsafe25e81c90a0bf666638ca\config\update.txt

Filesize
1KB

MD5
78962aa5a060a2aef9141bd2d2700af2

SHA1
1646eb7823628d12e6ae6d52c3f572d66290254c

SHA256
b93f2aa97da9190e64e057caae3174191a0423f6693d312437a238f9a1e23547

SHA512
87e2038876368cee92ed0d96369f18d53c70548986218aa4add83bde6e4ba40296203d18d6944279fcab9e97aa2235b7f1e6e1ccdb43bc6d458648abb6f536ab

Download Submit