Overview

overview

10

Static

static

5

942de49bc2...a1.exe

windows7-x64

10

942de49bc2...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

  • Size

    2.4MB

  • MD5

    97f4bfce48908daf8548c94680cdd926

  • SHA1

    b6921fa66184350511ffeac6f7a14308bf830928

  • SHA256

    942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1

  • SHA512

    39ef56903b60a4a67b8863bb2ffdeed934ebe97e8223e16d7135017e20e07575e3a81076104bf37917b0ef6202a69335e66b0c137de83818fbdfb177d52b82e9

  • SSDEEP

    49152:HQqiSbst0sL7R38+1uKnzzaKu4QHNHxU/lAZ1PXiEQMy2vm9ytkB4nX:xstZLNe5Hwl0kDB4n

Score
10/10
discoveryevasionexploitpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Possible privilege escalation attempt 3 IoCs
    exploit
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
    "C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\system32\ZBOYKWUZ.exe
      C:\Windows\system32\ZBOYKWUZ.exe
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2280
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe load HKEY_USERS\a C:\Users\Administrator\NTUSER.DAT
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4200
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe unload HKEY_USERS\a
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\system32\takeown.exe
          takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4824
        • C:\Windows\system32\icacls.exe
          icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:5008
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\system32\takeown.exe
          takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1624
      • C:\Windows\system32\ZBOYKWUZ.exe
        ZBOYKWUZ.exe 2280 3508 0
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • System policy modification
        PID:3096
    • C:\Windows\system32\Es4.Deploy.exe
      C:\Windows\system32\Es4.Deploy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ver
        3⤵
          PID:3772

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    File and Directory Permissions Modification

    1
    T1222

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3096zboykwu
      Filesize

      26KB

      MD5

      0c27221488e69caa0a441b30e5d6d46c

      SHA1

      82fceca6dbc8932d4bead6ce872965fac35d0c99

      SHA256

      bae73fb2e8de92ae84565a2e98530a0584ade7bc69603f14906375a68f9fed3d

      SHA512

      9ad868e0897475082c63e5fcca91594c4568f15e442907b21bcd844dc8022986995f895b97aa649e2a523d08a4c37a324447b48475c7bf816a1dce734988eaed

      Download Submit
    • C:\Windows\System32\Es4.Deploy.exe
      Filesize

      970KB

      MD5

      ceaea72deefc6bce78f56efd6df30018

      SHA1

      d9dd7dc3cf9b040f5add454a2eefc1e5d48a137c

      SHA256

      e6c9beddaf2b77747834a6855ab88c43dc8feb5ad74e6da9d55e30a8e8299d63

      SHA512

      e0b70a188f7bca695cf1e4a117dad94d76799b2187e03bf3a3ac78a015742aac845025e9ee6200379f357b6896a294a83ecbe4ce9d8eabdf25e2510088ca62ae

      Download Submit
    • C:\Windows\System32\ZBOYKWUZ.exe
      Filesize

      964KB

      MD5

      7359ea3476e9f5d7f5e6845007531b4b

      SHA1

      ec48e75b6a03979a1af7d993c55a76bc5a7780fe

      SHA256

      43b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc

      SHA512

      01317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce

      Download Submit