b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f

General

Target

b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
Size

241KB
MD5

23c77075baf7c9ba4e669239a7e1ab4c
SHA1

014421bdb1ea105a6df0c27fc114819ff3637704
SHA256

b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f
SHA512

08de7c9228f277fff346c6cdcfc1b27588772339c5be54960e3a16cfb7c4295dd9f87d1a62c02d1805618c939ef66923f5cd86de5c0b6e4e7a2c1a344ab083ab

Score

10^/10

evasion suricata trojan

Malware Config

Signatures

suricata: ET MALWARE Possible TA410 APT FlowCloud Dependency Download
suricata: ET MALWARE Possible TA410 APT FlowCloud Dependency Download
suricata
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M1
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M1
suricata
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M2
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M2
suricata
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M3
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M3
suricata
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M4
suricata: ET MALWARE TA410 APT FlowCloud Dependency Download M4
suricata

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

Drops file in System32 directory 2 IoCs

Processes:

b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winver.dat	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\SysWOW64\winver.dat	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

Drops file in Windows directory 24 IoCs

Processes:

b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

description	ioc	process
File created	C:\Windows\System\tstfile	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\FE7E3A23	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\FE7E3A23-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File created	C:\Windows\System\wpcap.dll	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\System\wpcap.dll	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\2C05B666-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\2208093F	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\21860E7C	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\5386CCD3	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\E70EEF62	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\2208093F-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\5A43E2E3	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\960AF10E-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\21860E7C-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\48115AFF-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\5386CCD3-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\2C05B666	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\48115AFF	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\E70EEF62-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File created	C:\Windows\Fonts\zitbee.fon\data\21FB9FCF.DAT	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File created	C:\Windows\System\Packet.dll	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\System\Packet.dll	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\5A43E2E3-journal	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
File opened for modification	C:\Windows\Fonts\zitbee.fon\data\960AF10E	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe

C:\Users\Admin\AppData\Local\Temp\b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe
"C:\Users\Admin\AppData\Local\Temp\b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/764-55-0x0000000010000000-0x00000000100A8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads