Resubmissions

18-11-2024 23:11

241118-26b8assmcq 8

18-11-2024 22:54

241118-2vt9qsxame 8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-es
  • resource tags

    arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    18-11-2024 23:11

General

  • Target

    oztye8a3t88nb35f.exe

  • Size

    10.1MB

  • MD5

    7d1755e8e41a6c2f08d2faeffdf9dad1

  • SHA1

    c04d89f1054f2ee34b548126a5add4eee4751ae4

  • SHA256

    44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5

  • SHA512

    b099238838b0d8b258529126b3c279ac735feff778d52c3117eb3cd587267a145a09bc1317fb412b2c810ea8b2232a8218fe459e33ac99f9b48decfdc62e4816

  • SSDEEP

    196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe
    "C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\system32\taskkill.exe
      taskkill.exe /F /FI "SERVICES eq RDP-Controller"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Windows\system32\sc.exe
      sc.exe stop RDP-Controller
      2⤵
      • Launches sc.exe
      PID:2340
    • C:\Windows\system32\sc.exe
      sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
      2⤵
      • Launches sc.exe
      PID:264
    • C:\Windows\system32\sc.exe
      sc.exe failure RDP-Controller reset= 1 actions= restart/10000
      2⤵
      • Launches sc.exe
      PID:2280
    • C:\Windows\system32\sc.exe
      sc.exe start RDP-Controller
      2⤵
      • Launches sc.exe
      PID:2748
    • C:\Windows\system32\icacls.exe
      icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
      2⤵
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\system32\icacls.exe
      icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
      2⤵
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
    C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

    Filesize

    456B

    MD5

    40ab00517f4227f2c3c334f1d16b65b4

    SHA1

    f8d57af017e2209b4fb24122647fd7f71b67c87c

    SHA256

    4baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85

    SHA512

    75d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

    Filesize

    112KB

    MD5

    be6174ae2b452da9d00f9c7c4d8a675b

    SHA1

    0abd2c76c82416ae9c30124c43802e2e49c8ed28

    SHA256

    a62bdf318386aaab93f1d25144cfbdc1a1125aaad867efc4e49fe79590181ebf

    SHA512

    5631b1595f8cee8c0dfa991852259fee17ea8b73a9eed900a10450bbb7c846acfc88c32930be379d60efa6ae1bbbead0a605a9f36e20129b53bca36b13ba5858

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

    Filesize

    214B

    MD5

    26702faab91b6b144715714a96728f39

    SHA1

    cbdc34fc8fd3559cd49475fb5bc76176a5f88ff8

    SHA256

    83d30846dd5576de38a512b17163419d22ff35f2f5b0fe613c401e8a5a25b7a4

    SHA512

    50d35d3dcd60b6e57c1a277e6c3e7afbb5c2b46425732fc5a9fd3c0a55febf5ab3f05411a83cec230aac40199774ff78f30848d57d1e04a11b9e60777b038289

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

    Filesize

    8KB

    MD5

    27535cee6740dfc50a78a0322415e67c

    SHA1

    e80541cf15c8ed4c5eeda8d8c24674a5b8a27f61

    SHA256

    fb0cdbf4e0215ae1866e97860c2ac3dd96e7498bfe2af3d82378041cdff7f292

    SHA512

    25f11a8262b5a2f59bd6c9d8673b5ad5a140eae8c007244810b2924eb08b5cf54ae19e61be5139319877278d11868bbd85bd2e6c67f5fad4e2a458e2844ebc0c

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

    Filesize

    60KB

    MD5

    688fdfae15f328a84e8f19f8f4193af2

    SHA1

    c65d4cda0c93b84154dfbc065ae78b9e2f7ecfa8

    SHA256

    8d37ff2458fde376a41e9e702a9049ff89e78b75669c0f681cfcafba9d49688e

    SHA512

    f19bc7f204dbe3449abe9494bfff8be632f20f1b4b8272f0af71c4cec344a20617c0909c024cb4a4e0c6b266d386cb127554dc70f3a6aa7a81daf1a8748f5d2d

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

    Filesize

    720B

    MD5

    e5c876044839f73ed6f4c150c27deee8

    SHA1

    42f8855d5342bd0225d8d5f891888c8abd478a34

    SHA256

    bbd0820904286fe2361e6abe8f1bc8a4e3fc30f992121bae1d25ed09bd7941fb

    SHA512

    9c3cc9fa89f39a385f52faa686c3d58967a10fefecb2d23c13327b357e51b5c0e2b7e03f20469c288e6a325236e1fc852449d2b44c1a4c5259789d33de6a21d1

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

    Filesize

    11KB

    MD5

    00926ce2a478295067a176d302a288e5

    SHA1

    ad0eb52ab6c11b07388af579201c25612cd6e72f

    SHA256

    a994040d9d600931da03f6a7552f7917661c80463008c2edf4a34f9e6bdc695f

    SHA512

    9e667a0a6f4b171c880ee8a9959042898a35298e3cfeac49d0c550001632b595bb2c96a4053434ca8e054a6fe4145c2935849bd1801976dba1fda277093ad3fd

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

    Filesize

    431KB

    MD5

    5fcb4b6362e04a8d1c6ecd33ad246fb9

    SHA1

    e198d3e81c4b8527451133bceafa799d2115a8bb

    SHA256

    060ee1bcb5817709f2d73bb1762c5abca09faf5271e8f90503a84f9657ecdcd9

    SHA512

    b5839d79d1a34da86ba9b34a9105f7cc05e642c99d84d55e3e88833544dce9fdd840f7abf0f09cd4470734f24ca7c600c3c64e4041a4481806590d3b7a6a032d

  • C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

    Filesize

    10.0MB

    MD5

    312704a6232d74733de04c6e00f8cf21

    SHA1

    2b4820ac82c5b851464d6563fa6ea0cb3e3629c2

    SHA256

    8d11890f2b70ba2abb4b017b05f3bb1d20eca6ad3eb84f0251e0857c77682c9b

    SHA512

    5c32b9a8267c57ce640e7612bdecd7d7ec67f4e0ab48dd97a53373d220765ab234bc28779f524e788e1e03d8857ccd7755a22f19e1a34ae36fd6f33444016f01

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

    Filesize

    102KB

    MD5

    7a8e8a0842d8d65713dee5393e806755

    SHA1

    af6f3a52009fbf62c21a290efc34a94c151b683e

    SHA256

    51c131081921626d22faf44977d5e4dcfe00e5d6cddeda877a82f13631be7c2e

    SHA512

    d1b8d93b7efbeaa348d3a01293ad5d92bc8f28eb2554df5e6e71506d00d135390082c52c18d0bc3f0439b068777d8b2c43aaed930c72e5ffab2593eeac470cf4

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

    Filesize

    90KB

    MD5

    fdcf93acd089b505b524ddfa0ff947f9

    SHA1

    a2bada5807ba001758dbce46da634332a5cc14c2

    SHA256

    adfe373f98cabf338577963dcea279103c19ff04b1742dc748b9477dc0156bb4

    SHA512

    110455dc5c3f090a1341ee6d09d9b327cd03999c70d4a2c0b762b91bc334b0448e750cb1fd7b34ce729b8e1cd33b55a4e1fa1187586c2ff8850b2fd907afe03e

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

    Filesize

    8.7MB

    MD5

    676064a5cc4729e609539f9c9bd9d427

    SHA1

    f77ba3d5b6610b345bfd4388956c853b99c9eb60

    SHA256

    77d203e985a0bc72b7a92618487389b3a731176fdfc947b1d2ead92c8c0e766b

    SHA512

    4c876e9c1474e321c94ea81058b503d695f2b5c9dca9182c515f1ae6de065099832fd0337d011476c553958808c7d6f748566734deee6af1e74b45a690181d02

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

    Filesize

    87KB

    MD5

    4e320e2f46342d6d4657d2adbf1f22d0

    SHA1

    a5acfe6397dffc61d243206885c389ea05428755

    SHA256

    7d4a26158f41de0bfd7e76d99a474785957a67f7b53ee8ad376d69abc6e33cc8

    SHA512

    e8e044fd17b36d188bb5ee8e5f7bfc9aecc01ab17e954d6996b900bc60d6d57afd782c7e01df7cc76a84e04ce16f77fe882f2d86e5113f25c1c3d385cfae37a5

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

    Filesize

    103KB

    MD5

    91a0dd29773fbfb7112c5fcff1873c13

    SHA1

    e1eaf1efb134caa7da5aaa362830a68ab705c023

    SHA256

    ae2d023ebbfeefd5a26eaa255ad3862c9a1c276bb0b46ff88ea9a9999406d6b6

    SHA512

    f7a665a218bb2ccec32326b0e0a9845b2981f17445b5cb54bba7d6ef9e200b4538ebd19916c2dacb0bbe1b409c14a499b23ba707874ae1f1b154279c90dc33dd

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

    Filesize

    126KB

    MD5

    c89542aba45ce1084760ae8de6eae09e

    SHA1

    603560a3e4b6a8cb906ca98c907373adbf4d3b1c

    SHA256

    1b6e559dc0cb37ebb2311c7cbf01b039f0dc1c3ec6da057837451a531b1e2cb0

    SHA512

    60a0eb698afe25cdddb133fc937fee478f1e0f8af72b825c19bb2d544fafcc217babf6dd3d01704a106677e92aae3dd57538e34731c950da17f5715df0732ff6

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

    Filesize

    36KB

    MD5

    e3e4492e2c871f65b5cea8f1a14164e2

    SHA1

    81d4ad81a92177c2116c5589609a9a08a5ccd0f2

    SHA256

    32ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30

    SHA512

    59de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

    Filesize

    113KB

    MD5

    d0f0423aeee6b6ff6754d860603d46d0

    SHA1

    a06f3b9605b3398ba68154da39adf26ddee41743

    SHA256

    81da68f52df2ed997c374ccbefc56849650770fb30eda8f202bbc7fc3fe6a51d

    SHA512

    c30faede4520ff1c859b8b39e351112cfc60daeca98b1359f9f86ab79bcfb996ba84f35a5b178b4abec66152864720e58f741ae13d06b64913e240a1f9e6a633

  • \Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

    Filesize

    89KB

    MD5

    4c086c8f48c4d0f8c20410e60340aec9

    SHA1

    77481360a98f3018f92a57b66e1dc7a6ec0dd0e8

    SHA256

    0a8fcb54df736100f5792b6ce57ae165553712cb1e5701e4e0dd7620e6089f59

    SHA512

    cdbcc2fd4195a6fa5a343234a745e3e7a558f68a496d376fdf6a86d585c9fa39a64f0ceb20a2d2e6e30e59ba46f62493e500d6eeb033fa981daa60f00ee42f14

  • memory/1408-99-0x000000013F430000-0x000000013FE5D000-memory.dmp

    Filesize

    10.2MB

  • memory/1408-101-0x000000013F430000-0x000000013FE5D000-memory.dmp

    Filesize

    10.2MB

  • memory/2892-109-0x000007FEF6800000-0x000007FEF6825000-memory.dmp

    Filesize

    148KB

  • memory/2892-128-0x000007FEF68C0000-0x000007FEF68E5000-memory.dmp

    Filesize

    148KB

  • memory/2892-103-0x000000013F980000-0x000000013F99F000-memory.dmp

    Filesize

    124KB

  • memory/2892-108-0x000007FEF6830000-0x000007FEF6858000-memory.dmp

    Filesize

    160KB

  • memory/2892-107-0x000007FEF6860000-0x000007FEF6884000-memory.dmp

    Filesize

    144KB

  • memory/2892-106-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-104-0x000007FEF68C0000-0x000007FEF68E5000-memory.dmp

    Filesize

    148KB

  • memory/2892-110-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-114-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-118-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-122-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-126-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-130-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-105-0x000007FEF6890000-0x000007FEF68B3000-memory.dmp

    Filesize

    140KB

  • memory/2892-134-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-139-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-137-0x000007FEF68C0000-0x000007FEF68E5000-memory.dmp

    Filesize

    148KB

  • memory/2892-143-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-147-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-151-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-156-0x000007FEF6860000-0x000007FEF6884000-memory.dmp

    Filesize

    144KB

  • memory/2892-155-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-159-0x000007FEF4A30000-0x000007FEF52F5000-memory.dmp

    Filesize

    8.8MB

  • memory/2892-250-0x000007FEF74D0000-0x000007FEF74F0000-memory.dmp

    Filesize

    128KB

  • memory/2892-248-0x000007FEF68C0000-0x000007FEF68E5000-memory.dmp

    Filesize

    148KB