Overview

overview

10

Static

static

3

384064992f...cd.exe

windows7-x64

10

384064992f...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

  • Size

    1.3MB

  • MD5

    9e20a4c72ce5e53b60208f84cdc1d05c

  • SHA1

    862f6e5d96de2bd4d65700bcc01932e2068ecd25

  • SHA256

    384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd

  • SHA512

    1fed8b1c63bd5737f1af4b5e9ed8c29b2bd09f8f8f8aebb5becb75efe354912034165f687466e18e5cb5df13281f97067dfaa437e131ddbd419d1e8e4ddcd333

  • SSDEEP

    12288:BXgvmzFHi0mo5aH0qMzd5807FdkPJQPDHvd:BXgvOHi0mGaH0qSdPF84V

Score
10/10
defense_evasionevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
    "C:\Users\Admin\AppData\Local\Temp\384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\whluzkp.exe
      "C:\Users\Admin\AppData\Local\Temp\whluzkp.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:388
    • C:\Users\Admin\AppData\Local\Temp\whluzkp.exe
      "C:\Users\Admin\AppData\Local\Temp\whluzkp.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:1996
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4548

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Modify Registry

    5
    T1112

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Safe Mode Boot

    1
    T1562.009

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      daf9ea1e441b6c3f02b5a232b6e0caaf

      SHA1

      ac93b600f7d2585f0be60cfa15f37c2429b4be11

      SHA256

      c6801c8850320f33d0e5cdb637e5db5a275c5566dab6ad59a1b786d27f9b806d

      SHA512

      40b70eed4c4a44a6728d54a042127665f6f7b6837f0afd4ce18fa337b3fe4b329c85c290072bc816760777ded800e2f801908e98865ea85cbd277d8c02887d56

      Download Submit
    • C:\Program Files (x86)\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      9b577d015d045025641c522fc744d577

      SHA1

      be8d0be61da7f54e83ddd4fcbe6bce6aa8acebbe

      SHA256

      bed6b9ae452ac66e52959a6c47ee4b06b25ae605cacbd82748382a134c39d572

      SHA512

      5eb148621b2babbc6401e58afa35d0b30b73ff704a2980d6e70d2d9a6192dbfa3872d5233712c6a2e333f772dbbc729f7d2e9ae872fe86663900aeebe94d9610

      Download Submit
    • C:\Program Files (x86)\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      08796af7f37f85c79bd9e5bba26b0073

      SHA1

      1328f83ae4299d593ef259d74bf1dcb74230a9a5

      SHA256

      c93be325628298af7c1341acd24f058e828168e6a46b8469ff686e67305f1a86

      SHA512

      b32934a7034ba5f5558bc769e9f78dbae3a7df1f371d668c71aa4da0a6d121e9f87923a4c2fa3f7b1b62391f3a3cf116d3383afa30f69f2eb3fcdfc84e7f0a8b

      Download Submit
    • C:\Program Files (x86)\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      9fdefb7f338cfe3762ce7ed016722ac4

      SHA1

      6668f78d68e6b8f0c62a39a5aaa8c1669134168b

      SHA256

      8a4ade39a510599cb8ed070cc4defb2cb87dc9521d455325c1801459c9f787d5

      SHA512

      1456447ca71ac84a84c71ac70f8fbc168de44174d199414bc709accdae393440474108d16e48ffe964201ebec6be64387a3271f536d1cb5cd5eb855efa2e2a48

      Download Submit
    • C:\Program Files (x86)\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      570f710667805035b8b1eae9b976b476

      SHA1

      164068dc3ef704d7aa46021de44aa285ab6ee3a6

      SHA256

      eaf0de5ddf9755ce96ae6475b8a2662e4c940dd342a69b534d6838e41d21cbd1

      SHA512

      73c025d80820c3c06b62f5eb065e7d3326228216284f9ff6bf0cb97cd0bd1bab9bc9cedc580f4856d0388bd92754ef342d9903497842f3975bc85f780fb6be95

      Download Submit
    • C:\Program Files (x86)\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      d5309c4fd3dd0adb8c6169496b955419

      SHA1

      cbec080ff34dd3d3d2a871cc9f43c0731004935a

      SHA256

      3239a61019417de47a3fc116de10bfdbd84bb1e960a489ffe571f9a659b94679

      SHA512

      d7787a3b6e47fcfa5560d453fbf76014d16d986dc72250aef0fe35a4d7113f208cacc1d7aa7344388cf7cc4d1641fd3c217e238d4a5cc45c8b33c9f8acce47b5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\whluzkp.exe
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\whluzkp.exe
      Filesize

      2.0MB

      MD5

      53883cce14f1f161eedf845ef95b6f4d

      SHA1

      19d2558c47472d36cfdb00b169859c5fa135a8a0

      SHA256

      e6075e25b557f8476e823425fd9d09df4074d490676bf0585f4156fa2cb559c6

      SHA512

      f5854060ccb09aa003a2c14ebcfec3f4f90cd210e66130f8843117748880fc77eb4c99c8d93391f6bf2e8f20c32267499591d595d7ac06dbc49c486ae5d04137

      Download Submit
    • C:\Users\Admin\AppData\Local\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      763088c12e65aaca47fae7b64d2d4f25

      SHA1

      67b09235770a2a6570825b95082ac56838823727

      SHA256

      dc7bd12c751639988def5b36658d08aed2268a76021062705f7c0b0dfb989773

      SHA512

      769e98a785c2af9f04c2e18a9e831ec92d7b3319504db57aed65c5960aac2d1b68bfc873bc4bc2dd4421fb79c178eca13ff9ea303ee0a0af085e996b1607a252

      Download Submit
    • C:\Users\Admin\AppData\Local\afdgfkjggholqfkdmlsxvyx.byy
      Filesize

      280B

      MD5

      b4e25cb7805f422afe5c432f3aabeb7a

      SHA1

      6009fd90e606b911d27d74bcfab1c709b89ce712

      SHA256

      5039a7aec95204250d8a8a5fbf38a0d63339921b91a966d789710e4a5b112cdb

      SHA512

      76c8a4b4632fc9a6bac403dde3c31d69d86e50a2d283662d69bb62daba0505f808a9f8dd5c03040c137ba421a02c79f42da80cd02ecc12baca36ab5d3b9fde0c

      Download Submit
    • C:\Users\Admin\AppData\Local\ndmakaksdphpffvztdvluisisalxpxnndh.ldt
      Filesize

      4KB

      MD5

      247ec9a707da11ea59df788a9d5ef8db

      SHA1

      9702b6c61c2dd6c68e872a1e9ecf24269c718378

      SHA256

      cb073f10020aa646159af70c8dd92951ec36996ab8c854bd615885620e281b99

      SHA512

      fb8ab66ffe8c0df9e3d3ac6d2abc1aec9b8810c2bb883fa5bb6223002ce0cb397d485ede891632e8ec59742c812d2ee470ff946e8ee5b42ffb124aaff9a324dd

      Download Submit