Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-es -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows -
submitted
18-11-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
oztye8a3t88nb35f.exe
Resource
win7-20240903-es
Behavioral task
behavioral2
Sample
oztye8a3t88nb35f.exe
Resource
win10ltsc2021-20241023-es
General
-
Target
oztye8a3t88nb35f.exe
-
Size
10.1MB
-
MD5
7d1755e8e41a6c2f08d2faeffdf9dad1
-
SHA1
c04d89f1054f2ee34b548126a5add4eee4751ae4
-
SHA256
44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5
-
SHA512
b099238838b0d8b258529126b3c279ac735feff778d52c3117eb3cd587267a145a09bc1317fb412b2c810ea8b2232a8218fe459e33ac99f9b48decfdc62e4816
-
SSDEEP
196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3680 main.exe -
Loads dropped DLL 10 IoCs
pid Process 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe 3680 main.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4304 icacls.exe 2416 icacls.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 176 ip-api.com -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4996 sc.exe 3356 sc.exe 3128 sc.exe 224 sc.exe -
Kills process with taskkill 1 IoCs
pid Process 4668 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3680 main.exe 3680 main.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4668 taskkill.exe Token: SeRestorePrivilege 4304 icacls.exe Token: SeSecurityPrivilege 2416 icacls.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 520 wrote to memory of 4668 520 oztye8a3t88nb35f.exe 82 PID 520 wrote to memory of 4668 520 oztye8a3t88nb35f.exe 82 PID 520 wrote to memory of 224 520 oztye8a3t88nb35f.exe 85 PID 520 wrote to memory of 224 520 oztye8a3t88nb35f.exe 85 PID 520 wrote to memory of 4996 520 oztye8a3t88nb35f.exe 87 PID 520 wrote to memory of 4996 520 oztye8a3t88nb35f.exe 87 PID 520 wrote to memory of 3356 520 oztye8a3t88nb35f.exe 89 PID 520 wrote to memory of 3356 520 oztye8a3t88nb35f.exe 89 PID 520 wrote to memory of 3128 520 oztye8a3t88nb35f.exe 91 PID 520 wrote to memory of 3128 520 oztye8a3t88nb35f.exe 91 PID 520 wrote to memory of 4304 520 oztye8a3t88nb35f.exe 94 PID 520 wrote to memory of 4304 520 oztye8a3t88nb35f.exe 94 PID 520 wrote to memory of 2416 520 oztye8a3t88nb35f.exe 96 PID 520 wrote to memory of 2416 520 oztye8a3t88nb35f.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe"C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /F /FI "SERVICES eq RDP-Controller"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\SYSTEM32\sc.exesc.exe stop RDP-Controller2⤵
- Launches sc.exe
PID:224
-
-
C:\Windows\SYSTEM32\sc.exesc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore2⤵
- Launches sc.exe
PID:4996
-
-
C:\Windows\SYSTEM32\sc.exesc.exe failure RDP-Controller reset= 1 actions= restart/100002⤵
- Launches sc.exe
PID:3356
-
-
C:\Windows\SYSTEM32\sc.exesc.exe start RDP-Controller2⤵
- Launches sc.exe
PID:3128
-
-
C:\Windows\SYSTEM32\icacls.exeicacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-182⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\SYSTEM32\icacls.exeicacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeC:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456B
MD540ab00517f4227f2c3c334f1d16b65b4
SHA1f8d57af017e2209b4fb24122647fd7f71b67c87c
SHA2564baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85
SHA51275d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3
-
Filesize
112KB
MD5be6174ae2b452da9d00f9c7c4d8a675b
SHA10abd2c76c82416ae9c30124c43802e2e49c8ed28
SHA256a62bdf318386aaab93f1d25144cfbdc1a1125aaad867efc4e49fe79590181ebf
SHA5125631b1595f8cee8c0dfa991852259fee17ea8b73a9eed900a10450bbb7c846acfc88c32930be379d60efa6ae1bbbead0a605a9f36e20129b53bca36b13ba5858
-
Filesize
1KB
MD56b6db797f531ea07b333c5436f04dc2f
SHA159a35a05328c9e459786899937a4a43f05939361
SHA256a8eabb355f582f7fd80e5cce23fad02b240c3a2fd5002a17967198e264d49b8a
SHA51268de04b282f6721ca8703681dabd4025c31b05bbc8c415c515ad24c95c2f85b078116de9776b506f9e29bc652edc2bda81f99578694c06edbcfe69ab9d570c30
-
Filesize
102KB
MD57a8e8a0842d8d65713dee5393e806755
SHA1af6f3a52009fbf62c21a290efc34a94c151b683e
SHA25651c131081921626d22faf44977d5e4dcfe00e5d6cddeda877a82f13631be7c2e
SHA512d1b8d93b7efbeaa348d3a01293ad5d92bc8f28eb2554df5e6e71506d00d135390082c52c18d0bc3f0439b068777d8b2c43aaed930c72e5ffab2593eeac470cf4
-
Filesize
90KB
MD5fdcf93acd089b505b524ddfa0ff947f9
SHA1a2bada5807ba001758dbce46da634332a5cc14c2
SHA256adfe373f98cabf338577963dcea279103c19ff04b1742dc748b9477dc0156bb4
SHA512110455dc5c3f090a1341ee6d09d9b327cd03999c70d4a2c0b762b91bc334b0448e750cb1fd7b34ce729b8e1cd33b55a4e1fa1187586c2ff8850b2fd907afe03e
-
Filesize
80B
MD5750a54ccc5e2275d9df123c6c9361ab2
SHA1522dc464fcf300fbd7ce7a265af66b6ee19ded4f
SHA25656527c605216684f120de1e801f25d3a3b9720dc9a07fe58444baaa74bd7d79f
SHA5121ba58ce8b9ba878d7084d545f3d54a4f277cf85f1abcb3fe59ee408a42aa56c7e775c3de3dbfb2b680be7bc39716d8b02596bb437c8513c3129014ea19407c73
-
Filesize
720B
MD5fca810e258bad2204b082ceda965de70
SHA15df56c592091727591de975cea9270ab2d7e1e2f
SHA256e1ad091916d80865835a794823768c5d995908eb2bbab4e250f3717d4df3e6b0
SHA512f5b26ad73b4872e34d35090b65c78093525c20abc8c785578f80b365a54a515e4795ca5327d0151ab3a4436d37c5df781e3424e7fffe8e1da38f3b38e45d673e
-
Filesize
455B
MD5d5370e7c8dec4adfd50549a78274b0f6
SHA159db141f7cbcd1bbe1e87c958d6dda1447142fec
SHA256a31b985f81fabd146e014f2cccc94b1f5eef139711162c448f7c75b00e992c1f
SHA51223e3a570bc66518ba6610e46ecfc49e6f6f0d92bac9239d46654e8f06f4c2574d1a307bf1e8821b22dad7926a62dc919f4030af3694f30b4784f0fcb1f3c64ad
-
Filesize
96B
MD5068d601caafacc4f1474ddfaeea33ba8
SHA155e2601c497c87663a19da2d2191d0dff435f76a
SHA25608e1a4a713c2c14fd6b9b4b06f394bf24894ee9c4b41e7358242de9f39d9c483
SHA5121b1ef7998ba6d9ed6c671d4004767e04a1680269ca2a35e9e97dab0518cb5ce80e1ae993184fc95bfb946006c5bc6d9b8931c6e6b0387695dd84770a2e9e6cc7
-
Filesize
8.7MB
MD5676064a5cc4729e609539f9c9bd9d427
SHA1f77ba3d5b6610b345bfd4388956c853b99c9eb60
SHA25677d203e985a0bc72b7a92618487389b3a731176fdfc947b1d2ead92c8c0e766b
SHA5124c876e9c1474e321c94ea81058b503d695f2b5c9dca9182c515f1ae6de065099832fd0337d011476c553958808c7d6f748566734deee6af1e74b45a690181d02
-
Filesize
87KB
MD54e320e2f46342d6d4657d2adbf1f22d0
SHA1a5acfe6397dffc61d243206885c389ea05428755
SHA2567d4a26158f41de0bfd7e76d99a474785957a67f7b53ee8ad376d69abc6e33cc8
SHA512e8e044fd17b36d188bb5ee8e5f7bfc9aecc01ab17e954d6996b900bc60d6d57afd782c7e01df7cc76a84e04ce16f77fe882f2d86e5113f25c1c3d385cfae37a5
-
Filesize
12KB
MD507a32afed024d8d971f84aa88f64db75
SHA135b44283047cc4959588e6a4e613fb0ec24a057f
SHA2563db7dc0fcb1c87464dfaacd71efd465c189041c6f49e10143cec426e3265c3e3
SHA5121fed3449ea829cd3ada1678ce9d282ac1008160130a020e70a72168ad16324e278460fa3040dfa9e91c08e73ceb4aff0991a9537d25b62625180439c89c02e16
-
Filesize
103KB
MD591a0dd29773fbfb7112c5fcff1873c13
SHA1e1eaf1efb134caa7da5aaa362830a68ab705c023
SHA256ae2d023ebbfeefd5a26eaa255ad3862c9a1c276bb0b46ff88ea9a9999406d6b6
SHA512f7a665a218bb2ccec32326b0e0a9845b2981f17445b5cb54bba7d6ef9e200b4538ebd19916c2dacb0bbe1b409c14a499b23ba707874ae1f1b154279c90dc33dd
-
Filesize
126KB
MD5c89542aba45ce1084760ae8de6eae09e
SHA1603560a3e4b6a8cb906ca98c907373adbf4d3b1c
SHA2561b6e559dc0cb37ebb2311c7cbf01b039f0dc1c3ec6da057837451a531b1e2cb0
SHA51260a0eb698afe25cdddb133fc937fee478f1e0f8af72b825c19bb2d544fafcc217babf6dd3d01704a106677e92aae3dd57538e34731c950da17f5715df0732ff6
-
Filesize
36KB
MD5e3e4492e2c871f65b5cea8f1a14164e2
SHA181d4ad81a92177c2116c5589609a9a08a5ccd0f2
SHA25632ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30
SHA51259de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6
-
Filesize
113KB
MD5d0f0423aeee6b6ff6754d860603d46d0
SHA1a06f3b9605b3398ba68154da39adf26ddee41743
SHA25681da68f52df2ed997c374ccbefc56849650770fb30eda8f202bbc7fc3fe6a51d
SHA512c30faede4520ff1c859b8b39e351112cfc60daeca98b1359f9f86ab79bcfb996ba84f35a5b178b4abec66152864720e58f741ae13d06b64913e240a1f9e6a633
-
Filesize
89KB
MD54c086c8f48c4d0f8c20410e60340aec9
SHA177481360a98f3018f92a57b66e1dc7a6ec0dd0e8
SHA2560a8fcb54df736100f5792b6ce57ae165553712cb1e5701e4e0dd7620e6089f59
SHA512cdbcc2fd4195a6fa5a343234a745e3e7a558f68a496d376fdf6a86d585c9fa39a64f0ceb20a2d2e6e30e59ba46f62493e500d6eeb033fa981daa60f00ee42f14
-
Filesize
10.0MB
MD5312704a6232d74733de04c6e00f8cf21
SHA12b4820ac82c5b851464d6563fa6ea0cb3e3629c2
SHA2568d11890f2b70ba2abb4b017b05f3bb1d20eca6ad3eb84f0251e0857c77682c9b
SHA5125c32b9a8267c57ce640e7612bdecd7d7ec67f4e0ab48dd97a53373d220765ab234bc28779f524e788e1e03d8857ccd7755a22f19e1a34ae36fd6f33444016f01