3bc58204a86ea506d6459ce56521bbd293ce2232f90057e8395e9012797ae989

General

Target

9e4e79e286d47e03357aa63adedfe826.exe
Size

3.7MB
MD5

9e4e79e286d47e03357aa63adedfe826
SHA1

1dd8464c591c2bc996d608d48400336a0640686d
SHA256

3bc58204a86ea506d6459ce56521bbd293ce2232f90057e8395e9012797ae989
SHA512

ab6d8be74862c5564fdb95f3ab7a701bd99ee9aa798410b520631fd526dee4f40804b7722b2f040fc4b3943d47d6f82cb2b7a62981d8dd64d2a76021433df002
SSDEEP

98304:80qQnTwOIaZ1a7hp6K+QAjN+J4ur2GNaA4P6mPACJDLws:8gT/VZ1a7OlZ+J4XGwXNPF0s

Score

8^/10

defense_evasion discovery persistence privilege_escalation upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3012	netsh.exe
1628	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016d2c-20.dat	acprotect
behavioral1/memory/2736-22-0x0000000074780000-0x0000000074789000-memory.dmp	acprotect

Deletes itself 1 IoCs

pid	Process
3064	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2976	wtzltypssnrzhu.exe

Loads dropped DLL 4 IoCs

pid	Process
2736	9e4e79e286d47e03357aa63adedfe826.exe
2736	9e4e79e286d47e03357aa63adedfe826.exe
2736	9e4e79e286d47e03357aa63adedfe826.exe
2736	9e4e79e286d47e03357aa63adedfe826.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 3064	2736	9e4e79e286d47e03357aa63adedfe826.exe	35

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d2c-20.dat	upx
behavioral1/memory/2736-22-0x0000000074780000-0x0000000074789000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtzltypssnrzhu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e4e79e286d47e03357aa63adedfe826.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	wtzltypssnrzhu.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	wtzltypssnrzhu.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2976	wtzltypssnrzhu.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1628	2736	9e4e79e286d47e03357aa63adedfe826.exe	30
PID 2736 wrote to memory of 1628	2736	9e4e79e286d47e03357aa63adedfe826.exe	30
PID 2736 wrote to memory of 1628	2736	9e4e79e286d47e03357aa63adedfe826.exe	30
PID 2736 wrote to memory of 1628	2736	9e4e79e286d47e03357aa63adedfe826.exe	30
PID 2736 wrote to memory of 3012	2736	9e4e79e286d47e03357aa63adedfe826.exe	32
PID 2736 wrote to memory of 3012	2736	9e4e79e286d47e03357aa63adedfe826.exe	32
PID 2736 wrote to memory of 3012	2736	9e4e79e286d47e03357aa63adedfe826.exe	32
PID 2736 wrote to memory of 3012	2736	9e4e79e286d47e03357aa63adedfe826.exe	32
PID 2736 wrote to memory of 2976	2736	9e4e79e286d47e03357aa63adedfe826.exe	34
PID 2736 wrote to memory of 2976	2736	9e4e79e286d47e03357aa63adedfe826.exe	34
PID 2736 wrote to memory of 2976	2736	9e4e79e286d47e03357aa63adedfe826.exe	34
PID 2736 wrote to memory of 2976	2736	9e4e79e286d47e03357aa63adedfe826.exe	34
PID 2736 wrote to memory of 3064	2736	9e4e79e286d47e03357aa63adedfe826.exe	35
PID 2736 wrote to memory of 3064	2736	9e4e79e286d47e03357aa63adedfe826.exe	35
PID 2736 wrote to memory of 3064	2736	9e4e79e286d47e03357aa63adedfe826.exe	35
PID 2736 wrote to memory of 3064	2736	9e4e79e286d47e03357aa63adedfe826.exe	35
PID 2736 wrote to memory of 3064	2736	9e4e79e286d47e03357aa63adedfe826.exe	35

C:\Users\Admin\AppData\Local\Temp\9e4e79e286d47e03357aa63adedfe826.exe
"C:\Users\Admin\AppData\Local\Temp\9e4e79e286d47e03357aa63adedfe826.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=wtzltypssnrzhu dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\wtzltypssnrzhu.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=wtzltypssnrzhu dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\wtzltypssnrzhu.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\wtzltypssnrzhu.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\wtzltypssnrzhu.exe" "http://www.marvburris.click" "C:\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\7297"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2976
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\wtzltypssnrzhu.exe.config

Filesize
257B

MD5
441f5c5c7933c16068a03d99bc8837c4

SHA1
76d1de63216c2c1218cf47a5d768a18952a1dcb3

SHA256
f1cac503709c2acd9ab0a7d0e48a4abf2777d16052fee68830260a78359ec72f

SHA512
5b8fa02b827993541841a2fd07a50e5d2c5a7f5ba35e0b282ed3a453e3f919d63f1c9432d922cc364027351c57d2b78f99f5f1469c86b581cc53acb76fdfc366

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\SelfDel.dll

Filesize
5KB

MD5
e5786e8703d651bc8bd4bfecf46d3844

SHA1
fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

SHA256
d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

SHA512
d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBCEA.tmp\wtzltypssnrzhu.exe

Filesize
10KB

MD5
9916cd804c030ab91eabab4c3d1f39f6

SHA1
d01995ac1f61a17211b0c942d38504e35ac89c1a

SHA256
6920bf36c100c838c5fcc48b3665f660e0c158449ed1a42f64cb1c054cf90eef

SHA512
db60ef4e82328841153114c002c7d7664c5f7b7e5a916ea106912a0fe5a9f86a4ffc0a8f062f3cc974982efbc9b0ee7ff56582efe77e34dca001fc8b79d8ccc4

Download Submit
memory/2736-22-0x0000000074780000-0x0000000074789000-memory.dmp

Filesize
36KB

Download
memory/2976-39-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads