Overview

overview

10

Static

static

56ad1418f4...17.exe

windows7_x64

10

56ad1418f4...17.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-05-2021 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

  • Size

    704KB

  • MD5

    e7f9d6dd424f33059dda93a35ab3f69c

  • SHA1

    617c2988a2149f71c185d0e5f2f0a3a2f31225ec

  • SHA256

    56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717

  • SHA512

    cd24b7603efa82f0cda296bddb96e6361c73de071545ab59e51ce779ceda87e85dce8b97edd12be06a8ec0b743629673360150e67f3ccec618bd14b22e5826fd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
    "C:\Users\Admin\AppData\Local\Temp\56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\guxcek.exe
      "C:\Users\Admin\AppData\Local\Temp\guxcek.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3356
    • C:\Users\Admin\AppData\Local\Temp\guxcek.exe
      "C:\Users\Admin\AppData\Local\Temp\guxcek.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:184
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3116

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Modify Registry

    5
    T1112

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\guxcek.exe
      MD5

      7ce4dea919a4b9ed983b3e05349ae419

      SHA1

      162596dd9b666b953051b43931c97d7bac06ae9b

      SHA256

      18eda6a88bbcf9a0ef3c8d8c603cf56b8649a9f5866c944444c87a3333ae5ea4

      SHA512

      ce8f5629923b281bafc6438cc4485f54df375d15427ce6e7859616a772218f4f7771d707b88483cccebec60cafdd60f1c8562fd068b53ea7b07d948f2ffd3bbd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\guxcek.exe
      MD5

      7ce4dea919a4b9ed983b3e05349ae419

      SHA1

      162596dd9b666b953051b43931c97d7bac06ae9b

      SHA256

      18eda6a88bbcf9a0ef3c8d8c603cf56b8649a9f5866c944444c87a3333ae5ea4

      SHA512

      ce8f5629923b281bafc6438cc4485f54df375d15427ce6e7859616a772218f4f7771d707b88483cccebec60cafdd60f1c8562fd068b53ea7b07d948f2ffd3bbd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\guxcek.exe
      MD5

      7ce4dea919a4b9ed983b3e05349ae419

      SHA1

      162596dd9b666b953051b43931c97d7bac06ae9b

      SHA256

      18eda6a88bbcf9a0ef3c8d8c603cf56b8649a9f5866c944444c87a3333ae5ea4

      SHA512

      ce8f5629923b281bafc6438cc4485f54df375d15427ce6e7859616a772218f4f7771d707b88483cccebec60cafdd60f1c8562fd068b53ea7b07d948f2ffd3bbd

      Download Submit
    • memory/184-117-0x0000000000000000-mapping.dmp
      Download
    • memory/3356-114-0x0000000000000000-mapping.dmp
      Download