Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-es -
resource tags
arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows -
submitted
18-11-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
oztye8a3t88nb35f.exe
Resource
win7-20240903-es
Behavioral task
behavioral2
Sample
oztye8a3t88nb35f.exe
Resource
win10ltsc2021-20241023-es
General
-
Target
oztye8a3t88nb35f.exe
-
Size
10.1MB
-
MD5
7d1755e8e41a6c2f08d2faeffdf9dad1
-
SHA1
c04d89f1054f2ee34b548126a5add4eee4751ae4
-
SHA256
44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5
-
SHA512
b099238838b0d8b258529126b3c279ac735feff778d52c3117eb3cd587267a145a09bc1317fb412b2c810ea8b2232a8218fe459e33ac99f9b48decfdc62e4816
-
SSDEEP
196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 428 Process not Found 2892 main.exe -
Loads dropped DLL 11 IoCs
pid Process 428 Process not Found 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe 2892 main.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2720 icacls.exe 1104 icacls.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2340 sc.exe 264 sc.exe 2280 sc.exe 2748 sc.exe -
Kills process with taskkill 1 IoCs
pid Process 1692 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1692 taskkill.exe Token: SeRestorePrivilege 2720 icacls.exe Token: SeSecurityPrivilege 1104 icacls.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1692 1408 oztye8a3t88nb35f.exe 30 PID 1408 wrote to memory of 1692 1408 oztye8a3t88nb35f.exe 30 PID 1408 wrote to memory of 1692 1408 oztye8a3t88nb35f.exe 30 PID 1408 wrote to memory of 2340 1408 oztye8a3t88nb35f.exe 33 PID 1408 wrote to memory of 2340 1408 oztye8a3t88nb35f.exe 33 PID 1408 wrote to memory of 2340 1408 oztye8a3t88nb35f.exe 33 PID 1408 wrote to memory of 264 1408 oztye8a3t88nb35f.exe 35 PID 1408 wrote to memory of 264 1408 oztye8a3t88nb35f.exe 35 PID 1408 wrote to memory of 264 1408 oztye8a3t88nb35f.exe 35 PID 1408 wrote to memory of 2280 1408 oztye8a3t88nb35f.exe 37 PID 1408 wrote to memory of 2280 1408 oztye8a3t88nb35f.exe 37 PID 1408 wrote to memory of 2280 1408 oztye8a3t88nb35f.exe 37 PID 1408 wrote to memory of 2748 1408 oztye8a3t88nb35f.exe 39 PID 1408 wrote to memory of 2748 1408 oztye8a3t88nb35f.exe 39 PID 1408 wrote to memory of 2748 1408 oztye8a3t88nb35f.exe 39 PID 1408 wrote to memory of 2720 1408 oztye8a3t88nb35f.exe 42 PID 1408 wrote to memory of 2720 1408 oztye8a3t88nb35f.exe 42 PID 1408 wrote to memory of 2720 1408 oztye8a3t88nb35f.exe 42 PID 1408 wrote to memory of 1104 1408 oztye8a3t88nb35f.exe 44 PID 1408 wrote to memory of 1104 1408 oztye8a3t88nb35f.exe 44 PID 1408 wrote to memory of 1104 1408 oztye8a3t88nb35f.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe"C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /FI "SERVICES eq RDP-Controller"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\system32\sc.exesc.exe stop RDP-Controller2⤵
- Launches sc.exe
PID:2340
-
-
C:\Windows\system32\sc.exesc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore2⤵
- Launches sc.exe
PID:264
-
-
C:\Windows\system32\sc.exesc.exe failure RDP-Controller reset= 1 actions= restart/100002⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\system32\sc.exesc.exe start RDP-Controller2⤵
- Launches sc.exe
PID:2748
-
-
C:\Windows\system32\icacls.exeicacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-182⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\system32\icacls.exeicacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeC:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456B
MD540ab00517f4227f2c3c334f1d16b65b4
SHA1f8d57af017e2209b4fb24122647fd7f71b67c87c
SHA2564baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85
SHA51275d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3
-
Filesize
112KB
MD5be6174ae2b452da9d00f9c7c4d8a675b
SHA10abd2c76c82416ae9c30124c43802e2e49c8ed28
SHA256a62bdf318386aaab93f1d25144cfbdc1a1125aaad867efc4e49fe79590181ebf
SHA5125631b1595f8cee8c0dfa991852259fee17ea8b73a9eed900a10450bbb7c846acfc88c32930be379d60efa6ae1bbbead0a605a9f36e20129b53bca36b13ba5858
-
Filesize
214B
MD526702faab91b6b144715714a96728f39
SHA1cbdc34fc8fd3559cd49475fb5bc76176a5f88ff8
SHA25683d30846dd5576de38a512b17163419d22ff35f2f5b0fe613c401e8a5a25b7a4
SHA51250d35d3dcd60b6e57c1a277e6c3e7afbb5c2b46425732fc5a9fd3c0a55febf5ab3f05411a83cec230aac40199774ff78f30848d57d1e04a11b9e60777b038289
-
Filesize
8KB
MD527535cee6740dfc50a78a0322415e67c
SHA1e80541cf15c8ed4c5eeda8d8c24674a5b8a27f61
SHA256fb0cdbf4e0215ae1866e97860c2ac3dd96e7498bfe2af3d82378041cdff7f292
SHA51225f11a8262b5a2f59bd6c9d8673b5ad5a140eae8c007244810b2924eb08b5cf54ae19e61be5139319877278d11868bbd85bd2e6c67f5fad4e2a458e2844ebc0c
-
Filesize
60KB
MD5688fdfae15f328a84e8f19f8f4193af2
SHA1c65d4cda0c93b84154dfbc065ae78b9e2f7ecfa8
SHA2568d37ff2458fde376a41e9e702a9049ff89e78b75669c0f681cfcafba9d49688e
SHA512f19bc7f204dbe3449abe9494bfff8be632f20f1b4b8272f0af71c4cec344a20617c0909c024cb4a4e0c6b266d386cb127554dc70f3a6aa7a81daf1a8748f5d2d
-
Filesize
720B
MD5e5c876044839f73ed6f4c150c27deee8
SHA142f8855d5342bd0225d8d5f891888c8abd478a34
SHA256bbd0820904286fe2361e6abe8f1bc8a4e3fc30f992121bae1d25ed09bd7941fb
SHA5129c3cc9fa89f39a385f52faa686c3d58967a10fefecb2d23c13327b357e51b5c0e2b7e03f20469c288e6a325236e1fc852449d2b44c1a4c5259789d33de6a21d1
-
Filesize
11KB
MD500926ce2a478295067a176d302a288e5
SHA1ad0eb52ab6c11b07388af579201c25612cd6e72f
SHA256a994040d9d600931da03f6a7552f7917661c80463008c2edf4a34f9e6bdc695f
SHA5129e667a0a6f4b171c880ee8a9959042898a35298e3cfeac49d0c550001632b595bb2c96a4053434ca8e054a6fe4145c2935849bd1801976dba1fda277093ad3fd
-
Filesize
431KB
MD55fcb4b6362e04a8d1c6ecd33ad246fb9
SHA1e198d3e81c4b8527451133bceafa799d2115a8bb
SHA256060ee1bcb5817709f2d73bb1762c5abca09faf5271e8f90503a84f9657ecdcd9
SHA512b5839d79d1a34da86ba9b34a9105f7cc05e642c99d84d55e3e88833544dce9fdd840f7abf0f09cd4470734f24ca7c600c3c64e4041a4481806590d3b7a6a032d
-
Filesize
10.0MB
MD5312704a6232d74733de04c6e00f8cf21
SHA12b4820ac82c5b851464d6563fa6ea0cb3e3629c2
SHA2568d11890f2b70ba2abb4b017b05f3bb1d20eca6ad3eb84f0251e0857c77682c9b
SHA5125c32b9a8267c57ce640e7612bdecd7d7ec67f4e0ab48dd97a53373d220765ab234bc28779f524e788e1e03d8857ccd7755a22f19e1a34ae36fd6f33444016f01
-
Filesize
102KB
MD57a8e8a0842d8d65713dee5393e806755
SHA1af6f3a52009fbf62c21a290efc34a94c151b683e
SHA25651c131081921626d22faf44977d5e4dcfe00e5d6cddeda877a82f13631be7c2e
SHA512d1b8d93b7efbeaa348d3a01293ad5d92bc8f28eb2554df5e6e71506d00d135390082c52c18d0bc3f0439b068777d8b2c43aaed930c72e5ffab2593eeac470cf4
-
Filesize
90KB
MD5fdcf93acd089b505b524ddfa0ff947f9
SHA1a2bada5807ba001758dbce46da634332a5cc14c2
SHA256adfe373f98cabf338577963dcea279103c19ff04b1742dc748b9477dc0156bb4
SHA512110455dc5c3f090a1341ee6d09d9b327cd03999c70d4a2c0b762b91bc334b0448e750cb1fd7b34ce729b8e1cd33b55a4e1fa1187586c2ff8850b2fd907afe03e
-
Filesize
8.7MB
MD5676064a5cc4729e609539f9c9bd9d427
SHA1f77ba3d5b6610b345bfd4388956c853b99c9eb60
SHA25677d203e985a0bc72b7a92618487389b3a731176fdfc947b1d2ead92c8c0e766b
SHA5124c876e9c1474e321c94ea81058b503d695f2b5c9dca9182c515f1ae6de065099832fd0337d011476c553958808c7d6f748566734deee6af1e74b45a690181d02
-
Filesize
87KB
MD54e320e2f46342d6d4657d2adbf1f22d0
SHA1a5acfe6397dffc61d243206885c389ea05428755
SHA2567d4a26158f41de0bfd7e76d99a474785957a67f7b53ee8ad376d69abc6e33cc8
SHA512e8e044fd17b36d188bb5ee8e5f7bfc9aecc01ab17e954d6996b900bc60d6d57afd782c7e01df7cc76a84e04ce16f77fe882f2d86e5113f25c1c3d385cfae37a5
-
Filesize
103KB
MD591a0dd29773fbfb7112c5fcff1873c13
SHA1e1eaf1efb134caa7da5aaa362830a68ab705c023
SHA256ae2d023ebbfeefd5a26eaa255ad3862c9a1c276bb0b46ff88ea9a9999406d6b6
SHA512f7a665a218bb2ccec32326b0e0a9845b2981f17445b5cb54bba7d6ef9e200b4538ebd19916c2dacb0bbe1b409c14a499b23ba707874ae1f1b154279c90dc33dd
-
Filesize
126KB
MD5c89542aba45ce1084760ae8de6eae09e
SHA1603560a3e4b6a8cb906ca98c907373adbf4d3b1c
SHA2561b6e559dc0cb37ebb2311c7cbf01b039f0dc1c3ec6da057837451a531b1e2cb0
SHA51260a0eb698afe25cdddb133fc937fee478f1e0f8af72b825c19bb2d544fafcc217babf6dd3d01704a106677e92aae3dd57538e34731c950da17f5715df0732ff6
-
Filesize
36KB
MD5e3e4492e2c871f65b5cea8f1a14164e2
SHA181d4ad81a92177c2116c5589609a9a08a5ccd0f2
SHA25632ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30
SHA51259de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6
-
Filesize
113KB
MD5d0f0423aeee6b6ff6754d860603d46d0
SHA1a06f3b9605b3398ba68154da39adf26ddee41743
SHA25681da68f52df2ed997c374ccbefc56849650770fb30eda8f202bbc7fc3fe6a51d
SHA512c30faede4520ff1c859b8b39e351112cfc60daeca98b1359f9f86ab79bcfb996ba84f35a5b178b4abec66152864720e58f741ae13d06b64913e240a1f9e6a633
-
Filesize
89KB
MD54c086c8f48c4d0f8c20410e60340aec9
SHA177481360a98f3018f92a57b66e1dc7a6ec0dd0e8
SHA2560a8fcb54df736100f5792b6ce57ae165553712cb1e5701e4e0dd7620e6089f59
SHA512cdbcc2fd4195a6fa5a343234a745e3e7a558f68a496d376fdf6a86d585c9fa39a64f0ceb20a2d2e6e30e59ba46f62493e500d6eeb033fa981daa60f00ee42f14