Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-01-2025 10:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
services.png.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
services.png.exe
Resource
win10v2004-20250129-en
asyncratgurcustormkittydefaultdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealerupx
windows10-2004-x64
44 signatures
150 seconds
General
-
Target
services.png.exe
-
Size
264KB
-
MD5
d397a1de162f332782fe3205a07792dd
-
SHA1
44793b3a374c3cb453bbd87a2fd28d8a4c408002
-
SHA256
ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560
-
SHA512
6be10fc6ebabffadd89a72862c5d292e2939d165298019fe684de4efb3284603756c8764810835c12651ad49f608dd3345c8d778b7fd795683f0fcceeaa3f659
-
SSDEEP
6144:VtjNiEZdoTD3wad4eq5OxUatA04d0drsFp2A4AG5uU:VTdS3Uek0WchA2D
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 112 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2700 ubahwoura.exe -
Loads dropped DLL 6 IoCs
pid Process 2680 services.png.exe 2680 services.png.exe 2680 services.png.exe 2680 services.png.exe 2700 ubahwoura.exe 2700 ubahwoura.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vyeqnyviro = "C:\\Users\\Admin\\AppData\\Roaming\\Hearirigdibe\\ubahwoura.exe" ubahwoura.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2900 tasklist.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ubahwoura.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HOSTNAME.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.png.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2876 ipconfig.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ubahwoura.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ubahwoura.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2680 services.png.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe 2700 ubahwoura.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2680 services.png.exe Token: SeSecurityPrivilege 2680 services.png.exe Token: SeSecurityPrivilege 2680 services.png.exe Token: SeSecurityPrivilege 2680 services.png.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeDebugPrivilege 2900 tasklist.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe Token: SeSecurityPrivilege 2700 ubahwoura.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2700 2680 services.png.exe 30 PID 2680 wrote to memory of 2700 2680 services.png.exe 30 PID 2680 wrote to memory of 2700 2680 services.png.exe 30 PID 2680 wrote to memory of 2700 2680 services.png.exe 30 PID 2700 wrote to memory of 1088 2700 ubahwoura.exe 18 PID 2700 wrote to memory of 1088 2700 ubahwoura.exe 18 PID 2700 wrote to memory of 1088 2700 ubahwoura.exe 18 PID 2700 wrote to memory of 1088 2700 ubahwoura.exe 18 PID 2700 wrote to memory of 1088 2700 ubahwoura.exe 18 PID 2700 wrote to memory of 1168 2700 ubahwoura.exe 20 PID 2700 wrote to memory of 1168 2700 ubahwoura.exe 20 PID 2700 wrote to memory of 1168 2700 ubahwoura.exe 20 PID 2700 wrote to memory of 1168 2700 ubahwoura.exe 20 PID 2700 wrote to memory of 1168 2700 ubahwoura.exe 20 PID 2700 wrote to memory of 1192 2700 ubahwoura.exe 21 PID 2700 wrote to memory of 1192 2700 ubahwoura.exe 21 PID 2700 wrote to memory of 1192 2700 ubahwoura.exe 21 PID 2700 wrote to memory of 1192 2700 ubahwoura.exe 21 PID 2700 wrote to memory of 1192 2700 ubahwoura.exe 21 PID 2700 wrote to memory of 1440 2700 ubahwoura.exe 25 PID 2700 wrote to memory of 1440 2700 ubahwoura.exe 25 PID 2700 wrote to memory of 1440 2700 ubahwoura.exe 25 PID 2700 wrote to memory of 1440 2700 ubahwoura.exe 25 PID 2700 wrote to memory of 1440 2700 ubahwoura.exe 25 PID 2700 wrote to memory of 2680 2700 ubahwoura.exe 29 PID 2700 wrote to memory of 2680 2700 ubahwoura.exe 29 PID 2700 wrote to memory of 2680 2700 ubahwoura.exe 29 PID 2700 wrote to memory of 2680 2700 ubahwoura.exe 29 PID 2700 wrote to memory of 2680 2700 ubahwoura.exe 29 PID 2700 wrote to memory of 2040 2700 ubahwoura.exe 32 PID 2700 wrote to memory of 2040 2700 ubahwoura.exe 32 PID 2700 wrote to memory of 2040 2700 ubahwoura.exe 32 PID 2700 wrote to memory of 2040 2700 ubahwoura.exe 32 PID 2040 wrote to memory of 1044 2040 cmd.exe 34 PID 2040 wrote to memory of 1044 2040 cmd.exe 34 PID 2040 wrote to memory of 1044 2040 cmd.exe 34 PID 2040 wrote to memory of 1044 2040 cmd.exe 34 PID 2040 wrote to memory of 2876 2040 cmd.exe 35 PID 2040 wrote to memory of 2876 2040 cmd.exe 35 PID 2040 wrote to memory of 2876 2040 cmd.exe 35 PID 2040 wrote to memory of 2876 2040 cmd.exe 35 PID 2040 wrote to memory of 2900 2040 cmd.exe 36 PID 2040 wrote to memory of 2900 2040 cmd.exe 36 PID 2040 wrote to memory of 2900 2040 cmd.exe 36 PID 2040 wrote to memory of 2900 2040 cmd.exe 36 PID 2040 wrote to memory of 112 2040 cmd.exe 37 PID 2040 wrote to memory of 112 2040 cmd.exe 37 PID 2040 wrote to memory of 112 2040 cmd.exe 37 PID 2040 wrote to memory of 112 2040 cmd.exe 37 PID 2040 wrote to memory of 1736 2040 cmd.exe 38 PID 2040 wrote to memory of 1736 2040 cmd.exe 38 PID 2040 wrote to memory of 1736 2040 cmd.exe 38 PID 2040 wrote to memory of 1736 2040 cmd.exe 38 PID 1736 wrote to memory of 1868 1736 net.exe 39 PID 1736 wrote to memory of 1868 1736 net.exe 39 PID 1736 wrote to memory of 1868 1736 net.exe 39 PID 1736 wrote to memory of 1868 1736 net.exe 39 PID 2700 wrote to memory of 2556 2700 ubahwoura.exe 40 PID 2700 wrote to memory of 2556 2700 ubahwoura.exe 40 PID 2700 wrote to memory of 2556 2700 ubahwoura.exe 40 PID 2700 wrote to memory of 2556 2700 ubahwoura.exe 40 PID 2700 wrote to memory of 2556 2700 ubahwoura.exe 40
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\services.png.exe"C:\Users\Admin\AppData\Local\Temp\services.png.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\Hearirigdibe\ubahwoura.exe"C:\Users\Admin\AppData\Roaming\Hearirigdibe\ubahwoura.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.execmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\HOSTNAME.EXEhostname5⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2876
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:112
-
-
C:\Windows\SysWOW64\net.exenet share5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵
- System Location Discovery: System Language Discovery
PID:1868
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1440
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
606KB
MD578f5d59f7b55a7c13a85059afc9f1f07
SHA1b4a9d09e71d09f2d0ce5609cd702560e0b8a53e3
SHA2561c6a6bf6d2d0f5a09f6d22af3e03948619115bcf816636fa2dbcc11d188ff358
SHA512a6639b421d3f7196e27b15b7e8d5aad6ac4098392a7d4906df8b551ef3fc50605c50c855f7b83415b06607e21a53ed186cadd9734536b2bbf486bbde32298c41
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
Filesize
264KB
MD58c075d92c320965ac0acf9aef9d87def
SHA14d4f17a7075890303847a03535e852293bbbd24e
SHA256daaba63cc784e035425b47e0ced975101fcd25646d36e585a893c6b49a69cb76
SHA5122929dcea8492d15457539cc57f43f9306652fd4c90b6e97915a565006447c0167b13f2f2c680d850c9c9b9319a5868b743b6ed1774bd06ec5b17bd8e804b27a1