61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9

Analysis

max time kernel
197s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe
Size

48KB
MD5

966d8f607fa55985bfbde83713655ef7
SHA1

786eb94ab4153b579c1a73ada49fa88f5c14d0a8
SHA256

61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9
SHA512

d1e48fb7cdf9b7be92f3fab2e75aea4922512a2487365b5eb56bdaa7ac24328f54175f58e69cb75bc13d15b80f911cdc48ad1e213c769858a1a872f2e5ca06d9
SSDEEP

768:MEyjLPYrsRjHpU8YfsYAP73c7kn8zkBc5EARElPt96+2VWAGlHIqFfGMr4BOgZsM:qLPYr+JU8YkYAGk8wOtR50jlTotlCts

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/956-66-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
1108	rundll32.exe
1368	rundll32.exe
1368	rundll32.exe
1368	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd028.ocx	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\whh07048.ocx	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe
File opened for modification	C:\Program Files\Common Files\whh07048.ocx	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe
File created	C:\Program Files\Common Files\006C9E72ce.dll	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe
File opened for modification	C:\Program Files\Common Files\006C9E72ce.dll	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1108	rundll32.exe
1108	rundll32.exe
1108	rundll32.exe
1108	rundll32.exe
1108	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
892	rundll32.exe
460	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	892	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 1368	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	28
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 892	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	29
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30
PID 956 wrote to memory of 1108	956	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe

C:\Users\Admin\AppData\Local\Temp\61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe
"C:\Users\Admin\AppData\Local\Temp\61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe"
1⤵
- UAC bypass
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd028.ocx" InstallSvr0
  2⤵
  - Loads dropped DLL
  PID:1368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\006C9E72ce.dll" InstallSvr3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh07048.ocx" InstallSvr1 C:\Users\Admin\AppData\Local\Temp\61bb3f089a4d212dc4aca48df68678cfca20fe505b879e6980ef6a812f479fb9.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\006C9E72ce.dll

Filesize
6KB

MD5
6fb92d25078bfff1c215229067b5beaa

SHA1
3d9a6f564f492b30981359bbcee5f9e02536e3be

SHA256
5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

SHA512
9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

Download Submit
C:\Program Files\Common Files\whh07048.ocx

Filesize
56KB

MD5
62ed249133ad0512e640230dced99c41

SHA1
dbfb001d94fd30af3d5abd9f58941b321610f59e

SHA256
f89f3cd0ee855c0ae8f24f85e671473cd90f4869d6821cb53dd84f48a71c0405

SHA512
d9548d48a57e2c742d364027e07f287ef9298b6fea671cf5abd6208260217b3fe2ef4f3421bb8758da98ac458c77eb613f80ff66655295246047a2924f97a401

Download Submit
C:\Windows\SysWOW64\whhfd028.ocx

Filesize
11KB

MD5
6b51354fb017488210e58687462ee83e

SHA1
d3623503867948285e9d4741f058d693decd1c17

SHA256
5707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715

SHA512
ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406

Download Submit
\Program Files\Common Files\006C9E72ce.dll

Filesize
6KB

MD5
6fb92d25078bfff1c215229067b5beaa

SHA1
3d9a6f564f492b30981359bbcee5f9e02536e3be

SHA256
5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

SHA512
9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

Download Submit
\Program Files\Common Files\006C9E72ce.dll

Filesize
6KB

MD5
6fb92d25078bfff1c215229067b5beaa

SHA1
3d9a6f564f492b30981359bbcee5f9e02536e3be

SHA256
5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

SHA512
9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

Download Submit
\Program Files\Common Files\006C9E72ce.dll

Filesize
6KB

MD5
6fb92d25078bfff1c215229067b5beaa

SHA1
3d9a6f564f492b30981359bbcee5f9e02536e3be

SHA256
5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

SHA512
9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

Download Submit
\Program Files\Common Files\006C9E72ce.dll

Filesize
6KB

MD5
6fb92d25078bfff1c215229067b5beaa

SHA1
3d9a6f564f492b30981359bbcee5f9e02536e3be

SHA256
5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

SHA512
9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

Download Submit
\Program Files\Common Files\whh07048.ocx

Filesize
56KB

MD5
62ed249133ad0512e640230dced99c41

SHA1
dbfb001d94fd30af3d5abd9f58941b321610f59e

SHA256
f89f3cd0ee855c0ae8f24f85e671473cd90f4869d6821cb53dd84f48a71c0405

SHA512
d9548d48a57e2c742d364027e07f287ef9298b6fea671cf5abd6208260217b3fe2ef4f3421bb8758da98ac458c77eb613f80ff66655295246047a2924f97a401

Download Submit
\Program Files\Common Files\whh07048.ocx

Filesize
56KB

MD5
62ed249133ad0512e640230dced99c41

SHA1
dbfb001d94fd30af3d5abd9f58941b321610f59e

SHA256
f89f3cd0ee855c0ae8f24f85e671473cd90f4869d6821cb53dd84f48a71c0405

SHA512
d9548d48a57e2c742d364027e07f287ef9298b6fea671cf5abd6208260217b3fe2ef4f3421bb8758da98ac458c77eb613f80ff66655295246047a2924f97a401

Download Submit
\Program Files\Common Files\whh07048.ocx

Filesize
56KB

MD5
62ed249133ad0512e640230dced99c41

SHA1
dbfb001d94fd30af3d5abd9f58941b321610f59e

SHA256
f89f3cd0ee855c0ae8f24f85e671473cd90f4869d6821cb53dd84f48a71c0405

SHA512
d9548d48a57e2c742d364027e07f287ef9298b6fea671cf5abd6208260217b3fe2ef4f3421bb8758da98ac458c77eb613f80ff66655295246047a2924f97a401

Download Submit
\Windows\SysWOW64\whhfd028.ocx

Filesize
11KB

MD5
6b51354fb017488210e58687462ee83e

SHA1
d3623503867948285e9d4741f058d693decd1c17

SHA256
5707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715

SHA512
ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406

Download Submit
\Windows\SysWOW64\whhfd028.ocx

Filesize
11KB

MD5
6b51354fb017488210e58687462ee83e

SHA1
d3623503867948285e9d4741f058d693decd1c17

SHA256
5707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715

SHA512
ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406

Download Submit
memory/892-75-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/892-70-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/892-82-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/956-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-78-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1108-83-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1368-76-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1368-77-0x00000000000B0000-0x00000000000C3000-memory.dmp

Filesize
76KB

Download
memory/1368-56-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1368-80-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1368-81-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/1368-74-0x00000000000B0000-0x00000000000C3000-memory.dmp

Filesize
76KB

Download