44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5

Resubmissions

18-11-2024 23:11

241118-26b8assmcq 8

18-11-2024 22:54

241118-2vt9qsxame 8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oztye8a3t88nb35f.exe
Size

10.1MB
MD5

7d1755e8e41a6c2f08d2faeffdf9dad1
SHA1

c04d89f1054f2ee34b548126a5add4eee4751ae4
SHA256

44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5
SHA512

b099238838b0d8b258529126b3c279ac735feff778d52c3117eb3cd587267a145a09bc1317fb412b2c810ea8b2232a8218fe459e33ac99f9b48decfdc62e4816
SSDEEP

196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2608	main.exe

Loads dropped DLL 10 IoCs

pid	Process
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe
2608	main.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2136	icacls.exe
1412	icacls.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
215	ip-api.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2368	sc.exe
4832	sc.exe
1112	sc.exe
3276	sc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3120	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	main.exe
2608	main.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeRestorePrivilege	2136	icacls.exe
Token: SeSecurityPrivilege	1412	icacls.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3120	1708	oztye8a3t88nb35f.exe	87
PID 1708 wrote to memory of 3120	1708	oztye8a3t88nb35f.exe	87
PID 1708 wrote to memory of 2368	1708	oztye8a3t88nb35f.exe	92
PID 1708 wrote to memory of 2368	1708	oztye8a3t88nb35f.exe	92
PID 1708 wrote to memory of 4832	1708	oztye8a3t88nb35f.exe	94
PID 1708 wrote to memory of 4832	1708	oztye8a3t88nb35f.exe	94
PID 1708 wrote to memory of 1112	1708	oztye8a3t88nb35f.exe	96
PID 1708 wrote to memory of 1112	1708	oztye8a3t88nb35f.exe	96
PID 1708 wrote to memory of 3276	1708	oztye8a3t88nb35f.exe	98
PID 1708 wrote to memory of 3276	1708	oztye8a3t88nb35f.exe	98
PID 1708 wrote to memory of 2136	1708	oztye8a3t88nb35f.exe	101
PID 1708 wrote to memory of 2136	1708	oztye8a3t88nb35f.exe	101
PID 1708 wrote to memory of 1412	1708	oztye8a3t88nb35f.exe	103
PID 1708 wrote to memory of 1412	1708	oztye8a3t88nb35f.exe	103

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	216	curl/8.4.0

C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe
"C:\Users\Admin\AppData\Local\Temp\oztye8a3t88nb35f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill.exe /F /FI "SERVICES eq RDP-Controller"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\SYSTEM32\sc.exe
  sc.exe stop RDP-Controller
  2⤵
  - Launches sc.exe
  PID:2368
- C:\Windows\SYSTEM32\sc.exe
  sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
  2⤵
  - Launches sc.exe
  PID:4832
- C:\Windows\SYSTEM32\sc.exe
  sc.exe failure RDP-Controller reset= 1 actions= restart/10000
  2⤵
  - Launches sc.exe
  PID:1112
- C:\Windows\SYSTEM32\sc.exe
  sc.exe start RDP-Controller
  2⤵
  - Launches sc.exe
  PID:3276
- C:\Windows\SYSTEM32\icacls.exe
  icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SYSTEM32\icacls.exe
  icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1412

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

Filesize
456B

MD5
40ab00517f4227f2c3c334f1d16b65b4

SHA1
f8d57af017e2209b4fb24122647fd7f71b67c87c

SHA256
4baf4b78d05a28af7dee7dbbce2b4edf6053d9239c1756c932be9f2feee4ef85

SHA512
75d74306f043b864295f09a60c19a43494c226664733c99318989ce5c22cb9395bb407fb5c8c0268ad9184a79813304ed5fc943a6b53db54f5f225cda31650e3

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

Filesize
1KB

MD5
f9a62b1829e17effdbe918ec8a1d79f6

SHA1
0a7d5a6a70992b32e84329fd7c9bd77381c936a2

SHA256
c18cbd508721594f32076c77b917cc261e5ad86eb34fe75d8900ec01fa37abdf

SHA512
62428b1c7a42f74878ce372241931ae80ccbbc4f498732d85a69cfa511b081656a848addc9aa8a11df1d72d2d65c93748c155de75c2464d75f77265994060084

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Filesize
214B

MD5
26702faab91b6b144715714a96728f39

SHA1
cbdc34fc8fd3559cd49475fb5bc76176a5f88ff8

SHA256
83d30846dd5576de38a512b17163419d22ff35f2f5b0fe613c401e8a5a25b7a4

SHA512
50d35d3dcd60b6e57c1a277e6c3e7afbb5c2b46425732fc5a9fd3c0a55febf5ab3f05411a83cec230aac40199774ff78f30848d57d1e04a11b9e60777b038289

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Filesize
102KB

MD5
7a8e8a0842d8d65713dee5393e806755

SHA1
af6f3a52009fbf62c21a290efc34a94c151b683e

SHA256
51c131081921626d22faf44977d5e4dcfe00e5d6cddeda877a82f13631be7c2e

SHA512
d1b8d93b7efbeaa348d3a01293ad5d92bc8f28eb2554df5e6e71506d00d135390082c52c18d0bc3f0439b068777d8b2c43aaed930c72e5ffab2593eeac470cf4

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Filesize
90KB

MD5
fdcf93acd089b505b524ddfa0ff947f9

SHA1
a2bada5807ba001758dbce46da634332a5cc14c2

SHA256
adfe373f98cabf338577963dcea279103c19ff04b1742dc748b9477dc0156bb4

SHA512
110455dc5c3f090a1341ee6d09d9b327cd03999c70d4a2c0b762b91bc334b0448e750cb1fd7b34ce729b8e1cd33b55a4e1fa1187586c2ff8850b2fd907afe03e

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Filesize
8KB

MD5
27535cee6740dfc50a78a0322415e67c

SHA1
e80541cf15c8ed4c5eeda8d8c24674a5b8a27f61

SHA256
fb0cdbf4e0215ae1866e97860c2ac3dd96e7498bfe2af3d82378041cdff7f292

SHA512
25f11a8262b5a2f59bd6c9d8673b5ad5a140eae8c007244810b2924eb08b5cf54ae19e61be5139319877278d11868bbd85bd2e6c67f5fad4e2a458e2844ebc0c

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Filesize
60KB

MD5
688fdfae15f328a84e8f19f8f4193af2

SHA1
c65d4cda0c93b84154dfbc065ae78b9e2f7ecfa8

SHA256
8d37ff2458fde376a41e9e702a9049ff89e78b75669c0f681cfcafba9d49688e

SHA512
f19bc7f204dbe3449abe9494bfff8be632f20f1b4b8272f0af71c4cec344a20617c0909c024cb4a4e0c6b266d386cb127554dc70f3a6aa7a81daf1a8748f5d2d

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

Filesize
80B

MD5
b8164375ed14dd7da02c48199a3e477e

SHA1
b269a9c6bee3f7f6aec9ebef4cfb77912708babc

SHA256
da01720aad694d1e4ed147fd5f9cdf41554ac60bc9d291747b66b08332f9c5f8

SHA512
cd7d6492c183168f7b0dac84dbc04fa440560aa73a117d2ff3830af85ef7d5d9a46d797e0c6ff6684526114e56534420be8e370f2a55d59912aaa04ae2ceb7af

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Filesize
720B

MD5
61ff5db1b0897f5a8d0eca1e6d4124e6

SHA1
92a9b16f9844e07117cc2edd4528090cf22b985c

SHA256
7108f8c9bd5d7c8a5e95003171cd56dbd97b9d41f763b1733a00bdec9113a887

SHA512
955b37ecdf9bc553eb9ea336729f9efc9645f5513c81e8dbc36ce8a47fd6271fa7a25e2ee8926827dedbd01484fe5397488b12652cd0cd988f3015358add192d

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

Filesize
455B

MD5
3ae4504d7b8c8812ee5f7573f26a1ee5

SHA1
0ed2e1594110f0a133d4679e1b148562d9493a38

SHA256
a384d8eef876ccbe05b244f9b1e4c9026f0d55c4790cc9a76ba8a38338ed01c2

SHA512
2e3b53d7b0ed9304802f2f521c2a8a27fce4651a77303af32befd8f0f39b83030a98a670b68caec793032efeb60848d23904cf62e01db0a31bc65dd6618ef413

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

Filesize
96B

MD5
b83de029306892ade3433867682079a8

SHA1
24703a36d9e78dff67ce5b00cd1463794fb63aed

SHA256
5ac12ee181f3bde4ae4782bfa6faace026e77dc01da71bbeb33a84c2908d1841

SHA512
f1691944cfc95a40eb78f3fc72bd4b4acf48aeec07ee8ded92e809e858060219518cd229916f4f83fc6c1e699d3623eafb7736e64d7f1740764015a111506467

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Filesize
8.7MB

MD5
676064a5cc4729e609539f9c9bd9d427

SHA1
f77ba3d5b6610b345bfd4388956c853b99c9eb60

SHA256
77d203e985a0bc72b7a92618487389b3a731176fdfc947b1d2ead92c8c0e766b

SHA512
4c876e9c1474e321c94ea81058b503d695f2b5c9dca9182c515f1ae6de065099832fd0337d011476c553958808c7d6f748566734deee6af1e74b45a690181d02

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Filesize
87KB

MD5
4e320e2f46342d6d4657d2adbf1f22d0

SHA1
a5acfe6397dffc61d243206885c389ea05428755

SHA256
7d4a26158f41de0bfd7e76d99a474785957a67f7b53ee8ad376d69abc6e33cc8

SHA512
e8e044fd17b36d188bb5ee8e5f7bfc9aecc01ab17e954d6996b900bc60d6d57afd782c7e01df7cc76a84e04ce16f77fe882f2d86e5113f25c1c3d385cfae37a5

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Filesize
12KB

MD5
af8c7d4e21e14dba8cab0353bb4aee9a

SHA1
33d0f77efb942f1ab36cb7a481e4b91c60b8a113

SHA256
cf9f62521550f274c7bed1df5a128825eb7af02963aabde28660671138fe8885

SHA512
25dec1003e14e53f6f323acf0fc7883ab6c9d152ebde3fbf51c3881bf687f0e8a398e8a7cdbf3bfe7e349bfe0479da854acfb272989eada06f695001cfe1f527

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Filesize
103KB

MD5
91a0dd29773fbfb7112c5fcff1873c13

SHA1
e1eaf1efb134caa7da5aaa362830a68ab705c023

SHA256
ae2d023ebbfeefd5a26eaa255ad3862c9a1c276bb0b46ff88ea9a9999406d6b6

SHA512
f7a665a218bb2ccec32326b0e0a9845b2981f17445b5cb54bba7d6ef9e200b4538ebd19916c2dacb0bbe1b409c14a499b23ba707874ae1f1b154279c90dc33dd

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Filesize
126KB

MD5
c89542aba45ce1084760ae8de6eae09e

SHA1
603560a3e4b6a8cb906ca98c907373adbf4d3b1c

SHA256
1b6e559dc0cb37ebb2311c7cbf01b039f0dc1c3ec6da057837451a531b1e2cb0

SHA512
60a0eb698afe25cdddb133fc937fee478f1e0f8af72b825c19bb2d544fafcc217babf6dd3d01704a106677e92aae3dd57538e34731c950da17f5715df0732ff6

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Filesize
36KB

MD5
e3e4492e2c871f65b5cea8f1a14164e2

SHA1
81d4ad81a92177c2116c5589609a9a08a5ccd0f2

SHA256
32ff81be7818fa7140817fa0bc856975ae9fcb324a081d0e0560d7b5b87efb30

SHA512
59de035b230c9a4ad6a4ebf4befcd7798ccb38c7eda9863bc651232db22c7a4c2d5358d4d35551c2dd52f974a22eb160baee11f4751b9ca5bf4fb6334ec926c6

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Filesize
113KB

MD5
d0f0423aeee6b6ff6754d860603d46d0

SHA1
a06f3b9605b3398ba68154da39adf26ddee41743

SHA256
81da68f52df2ed997c374ccbefc56849650770fb30eda8f202bbc7fc3fe6a51d

SHA512
c30faede4520ff1c859b8b39e351112cfc60daeca98b1359f9f86ab79bcfb996ba84f35a5b178b4abec66152864720e58f741ae13d06b64913e240a1f9e6a633

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Filesize
89KB

MD5
4c086c8f48c4d0f8c20410e60340aec9

SHA1
77481360a98f3018f92a57b66e1dc7a6ec0dd0e8

SHA256
0a8fcb54df736100f5792b6ce57ae165553712cb1e5701e4e0dd7620e6089f59

SHA512
cdbcc2fd4195a6fa5a343234a745e3e7a558f68a496d376fdf6a86d585c9fa39a64f0ceb20a2d2e6e30e59ba46f62493e500d6eeb033fa981daa60f00ee42f14

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Filesize
431KB

MD5
5fcb4b6362e04a8d1c6ecd33ad246fb9

SHA1
e198d3e81c4b8527451133bceafa799d2115a8bb

SHA256
060ee1bcb5817709f2d73bb1762c5abca09faf5271e8f90503a84f9657ecdcd9

SHA512
b5839d79d1a34da86ba9b34a9105f7cc05e642c99d84d55e3e88833544dce9fdd840f7abf0f09cd4470734f24ca7c600c3c64e4041a4481806590d3b7a6a032d

Download Submit
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Filesize
10.0MB

MD5
312704a6232d74733de04c6e00f8cf21

SHA1
2b4820ac82c5b851464d6563fa6ea0cb3e3629c2

SHA256
8d11890f2b70ba2abb4b017b05f3bb1d20eca6ad3eb84f0251e0857c77682c9b

SHA512
5c32b9a8267c57ce640e7612bdecd7d7ec67f4e0ab48dd97a53373d220765ab234bc28779f524e788e1e03d8857ccd7755a22f19e1a34ae36fd6f33444016f01

Download Submit
C:\Windows\Temp\K6NYv8c0

Filesize
112KB

MD5
be6174ae2b452da9d00f9c7c4d8a675b

SHA1
0abd2c76c82416ae9c30124c43802e2e49c8ed28

SHA256
a62bdf318386aaab93f1d25144cfbdc1a1125aaad867efc4e49fe79590181ebf

SHA512
5631b1595f8cee8c0dfa991852259fee17ea8b73a9eed900a10450bbb7c846acfc88c32930be379d60efa6ae1bbbead0a605a9f36e20129b53bca36b13ba5858

Download Submit
memory/1708-128-0x00007FF79D030000-0x00007FF79DA5D000-memory.dmp

Filesize
10.2MB

Download
memory/1708-130-0x00007FF79D030000-0x00007FF79DA5D000-memory.dmp

Filesize
10.2MB

Download
memory/2608-132-0x00007FF654FD0000-0x00007FF654FEF000-memory.dmp

Filesize
124KB

Download
memory/2608-137-0x00007FFE1A230000-0x00007FFE1A258000-memory.dmp

Filesize
160KB

Download
memory/2608-136-0x00007FFE1A260000-0x00007FFE1A284000-memory.dmp

Filesize
144KB

Download
memory/2608-134-0x00007FFE1A8E0000-0x00007FFE1A903000-memory.dmp

Filesize
140KB

Download
memory/2608-138-0x00007FFE1A200000-0x00007FFE1A225000-memory.dmp

Filesize
148KB

Download
memory/2608-139-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-135-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-133-0x00007FFE1F000000-0x00007FFE1F025000-memory.dmp

Filesize
148KB

Download
memory/2608-143-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-147-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-154-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-158-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-161-0x00007FFE1F000000-0x00007FFE1F025000-memory.dmp

Filesize
148KB

Download
memory/2608-163-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-167-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-172-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-176-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-180-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-184-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-311-0x00007FFE1F000000-0x00007FFE1F025000-memory.dmp

Filesize
148KB

Download
memory/2608-314-0x00007FFE1A260000-0x00007FFE1A284000-memory.dmp

Filesize
144KB

Download
memory/2608-313-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-317-0x00007FFE091F0000-0x00007FFE09AB5000-memory.dmp

Filesize
8.8MB

Download
memory/2608-323-0x00007FFE1A8C0000-0x00007FFE1A8E0000-memory.dmp

Filesize
128KB

Download
memory/2608-321-0x00007FFE1F000000-0x00007FFE1F025000-memory.dmp

Filesize
148KB

Download