Analysis
-
max time kernel
147s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 03:46
General
-
Target
a61bff2dd2100a6be39be8778880eff5786686c65de713f3e3df592281b99476.exe
-
Size
31.7MB
-
MD5
75a011552602bce72c9aade3d4ca2dcf
-
SHA1
659a99006e76d0c99e52a236cd54aba9590fa462
-
SHA256
a61bff2dd2100a6be39be8778880eff5786686c65de713f3e3df592281b99476
-
SHA512
3a6a36e9c1a4fc506da3634f7edd66f89a5af66de261758bd6b82451f65df2314149a45123cda3acc02383a58e4f1222d7f54076a5ea5bad2556952464b58d25
-
SSDEEP
786432:fViQmGiQmGiQmGiQmXYYgTFE3CuXKzBqMOUK0ShvCdiUc:EQmzQmzQmzQmXpSVzsm+iij
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 15 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61bff2dd2100a6be39be8778880eff5786686c65de713f3e3df592281b99476.exe"C:\Users\Admin\AppData\Local\Temp\a61bff2dd2100a6be39be8778880eff5786686c65de713f3e3df592281b99476.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5719074 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a61bff2dd2100a6be39be8778880eff5786686c65de713f3e3df592281b99476.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3692679935-4019334568-335155002-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\kuai\Kuai\tdata\emoji\kll.exe"C:\Program Files\kuai\Kuai\tdata\emoji\kll.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\ProgramData\YQ7nH.xml4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\h9DAl.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\V7hf1\esY12~t\s+C:\ProgramData\V7hf1\esY12~t\a C:\ProgramData\V7hf1\esY12~t\TSLib.dll4⤵
-
-
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\V7hf1\esY12~t\iToolsAVMTask.exe"C:\ProgramData\V7hf1\esY12~t\iToolsAVMTask.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\letsvpn-latest.exe"C:\ProgramData\letsvpn-latest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD525fb525f7ada715c43acb7818466765f
SHA14133f43bce0b44547ecd1bece2097e72bbb35896
SHA25641f913678421575a6920a3ecc5f0daa80e1af701d96025aa9e5991ae3a173589
SHA512565b13a73a87124c11eef1bfb85b2cdc193fb420b76fd6c25f8dd5fa0e2a2e2d8b0cbe20384608363a264db744df4bd2b6f37e855100dffb38e98e20550983b9
-
Filesize
444KB
MD5fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
Filesize
204KB
MD59cd2a06bef678760b2a645cbaadfab98
SHA1db3e880fec414f125713ea83590fe7c1f41d55d7
SHA256a157daa56958bdc502a341a211b53da1c82856834c9458719614ce03c0d97eb1
SHA5127151a11ef34487549d5d46f126e5d295a6ae6b778db5362e94107ba989785b3a2b42571f16dcf1b5ea0f792f31d1ddd78c5fdbdb1d98cffc1cbfdf73e4d381c8
-
Filesize
176KB
MD599a4d2a919eeb78ce2428096a19d8be7
SHA1d069b49171dba3fe560c2b9dd782132831f6b4f2
SHA2567c7edb12d33c2483dbbd7ef7bc0184ffd5ce077b70686ce82a15e7b93283a6ca
SHA512d049a7532cf05235e3fdaf13344f1bbb2b9b0f96e4270a7096fa8b5863a1c67191768c9d0055d488417abbd3e34e1b1c79a4a0618a21392066d5b81cd8a71a11
-
Filesize
446KB
MD5e4d5dd31c405c19c69180d4e2206bab5
SHA11f01c589d383f361b4bb442476592f03ce10d173
SHA256b78c80aad5b20278e54b64f74dc8f98ab573d48b133d1a9178c53e57d8e5258f
SHA51235f46c8d33fa761e91169138f38beec5e51d735b23e4ca3894e7b0daf4c687a7f22029a2c8b80d1c46cefd5c2e7697f74646eedb8aa3161efc4fd142485562ff
-
Filesize
176KB
MD59a10d11cbc41b8b24403e07a2c6d70ab
SHA129b0c3727dc69b9b865d1eb5f08d1345fb528e18
SHA256c708b225c8d8eea884e3af3a46e14b498f05b9994da31d42f1208aa2b38c1a18
SHA512859ef3648c5d73b04703e6e43783e9967253f78ef6239e88fe098fe869602f8a3b4aa70a0f45f1e48aa4811a17ed3f559849d5cd7e4dcdb1ba34dd398b2ff21f
-
Filesize
14.5MB
MD594f6bd702b7a2e17c45d16eaf7da0d64
SHA145f8c05851bcf16416e087253ce962b320e9db8a
SHA25607f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776
SHA5127ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d
-
Filesize
4KB
MD5874e3e604857f429a7e5075f42478063
SHA18d4482f4b34e770866da3f7aaebaad5c72aa6aff
SHA2568f837ff1e644f32fd2b7e70ec5ce1fd32c58da0a169e172b5fb464ee775c6f8c
SHA51202caf2eb57a997b49975686e29d88ff41ca2793f43adfb9e6235e72705ac6432faa4791435e9e4bd4ea096ddc92ca9bbefbd03ff4846d3907ad037f2a51636f5
-
Filesize
20KB
MD5e3f04b9a2cb90768d26e29915a44c32d
SHA1d6fccb4e1281be6e318824341b01443016518a3e
SHA256ec6ff19e6f85d0a9edfe25cc8206aec67e5243c884e73bb82afa4bbc03f83cb3
SHA512ce2a528b324539efa48b718f956f2d6aa4d3d3070a4f117ea1c07f9edb2f51afec72a9b3640215b3a99a3666168023e7d26f9ba89202b84bb3e4be3d6adbb122
-
Filesize
350KB
MD5c916c7815286c5233a49deac81f8543e
SHA1cb964c3c8eae8e7ce170f3ad3a55993f7a1918db
SHA2563d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4
SHA5120d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
28.9MB
MD51d086c6b0cf1571c4f3962dd0dcff370
SHA1fcc14f35d578496e8b31609d7b3e88a7a16fb8ad
SHA25655b3cb523696c18f1340a7b2e74edcb52fe5014ccf9a3ea52dff675e1f6cb91c
SHA5120d723dc8221e372119cdeb19452a2a510ceb4dadd3d5b28020eef7850dd30beef8f3d31866654315d945cfbd7e353b1e0446901e53ba6051fdc000086e4739ca
-
Filesize
231KB
MD54a5177de87d2ddb2e37fb334e1dd7364
SHA1fa7eb1581767cea7e6e0a91ea8453b2ec3907bce
SHA25650b27360888f2e25f5105acc7ff756a981de01af3b6d0376b9b40d565f67d3b2
SHA51246639342202800fdb3c7730e77a842ba564e132370eb62734173cc7b1db3a7a1528b74ac179fa021b9df03a0354def3a7867a4b46d570e6522906dcd4706f3bf
-
Filesize
353KB
MD593fffe6278513969f1763c74771af352
SHA1a9cba645ce1c10534b5ddbfd24846084fad3298b
SHA2563a042c0f373e48523760be41a0eebe51410a598641777c7ae4295b4f2e0cc185
SHA512d682e5da2d6223d01b25d6bb6464e16f8ef6e7460f5aac16501ea3c9ac9263fc2848dbb0ecccc4a8edf7a84ab886e753dd7b17cc48911ddd7735ba556eb6afc1
-
Filesize
643KB
MD5de97956ca645f2ff3af8abb2ddee8525
SHA1cac8bf1452795fc5d79c581a2f432735876037ef
SHA256283b86e04c42ad51de61af556163aeca222ebc3430433f37f11e70c035cbdadd
SHA5123d639c68cdb15e8d3a7a114790ae60a19378a7dfb0e56a0af95fccfec9b561eeee9b2345fbf48b8f3864fee56e1ec7786bde4545125561c0f03624006144718a
-
Filesize
515KB
MD53f2e14def6a0937dad09c7dcdde028f9
SHA116c9c6ad2337f24905e55b38e41134e9a7a248e6
SHA25655fc51e1ab6226b725f9aa8d9703514280b9405d37d507085fdb9d0fa2aecfec
SHA5121b81ce19b34e60af9236c45192fcea88b15753461c4cb88451981a2476254e5c711b3fc1382856286299e10d7ecf84b85e8d1c0213dda3755860924f598262b5
-
Filesize
109KB
MD5cf418dbccbfec6df4ca9de57d3d09e00
SHA11316b2eabb4dd172657585b229de08fb5e067799
SHA256b6901aee4202968a57bfef4ec599c35d2f6ffca3584b2835b7234c49e4b01e40
SHA51202c46b69f08d7acc9a4364cf827f113a2e970335c959c9cb6b6863ca9c935a748ac61fd1e3dbbb423a30dffb7c08f420ed6fff31ad376b32b00063e9241cee86
-
Filesize
948KB
MD5034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
Filesize
4.9MB
MD5b0a1f1e0a106e1a62753c8a07fb3809b
SHA1b4bab82aa173a401a2f16f8b4ad91105a895b2d9
SHA256f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950
SHA512ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094
-
Filesize
420KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
