Overview

overview

10

Static

static

88b426437c...fd.exe

windows10-2004-x64

10

Resubmissions

23-02-2023 14:03

230223-rcnzwsga69 10

20-01-2023 12:25

230120-plqhzaff6y 10

16-01-2023 12:00

230116-n6kyjsad9v 10

15-01-2023 04:12

230115-esqr7sdg4v 10

15-01-2023 04:01

230115-elc8jahg27 8

15-01-2023 03:56

230115-ehjk5shf75 8

15-01-2023 01:02

230115-bebjksbg8w 10

15-01-2023 00:38

230115-azcfyafg72 8

Analysis

  • max time kernel
    303s
  • max time network
    403s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2023 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe

  • Size

    1.6MB

  • MD5

    9f7aaf3a9a3f325dd533ecc38d85a351

  • SHA1

    1ebdc55b96e11d9b924fbba8c5fa1799ff247970

  • SHA256

    88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd

  • SHA512

    0afdcb5362be67938d00baaeb3974af3ad2b7342c8024ec2390ce87bad4c6252e4c8277a0bb36979cdcb4036aa9f7dc93ac23f78acdd04033c3086fa3fd7286f

  • SSDEEP

    24576:yWmAFubS9dt9Mcp5CPu4YV5GaCxYiluVuTY4PRVGEw6GPDp5MwNrsJjF2GKGI8L:q29dRpYW4YV5QxYiET8ahPDMwNrs2y

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
    "C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe
      C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe /TH_ID=_2592 /OriginExe="C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd < 4
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avastui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avgui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4060
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^ibXEdmiVmigethPmiCeveAlmmdbbRGVlGZgkrkVHBRdIphNCcvDTejGGhntqwKrSktcyZDvWGxUklCdjCVwceeizaHYEiVGRNbvySICSZHhIac$" 45
            5⤵
              PID:4772
            • C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\7269\Champion.exe.pif
              7269\\Champion.exe.pif 7269\\S
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3076
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                6⤵
                • UAC bypass
                • Suspicious use of AdjustPrivilegeToken
                PID:4080
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 18
              5⤵
              • Runs ping.exe
              PID:1160
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:796
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:3912
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3112
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:2444
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
      • C:\Windows\System32\calc.exe
        "C:\Windows\System32\calc.exe"
        1⤵
        • Modifies registry class
        PID:632
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3476
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:736

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        def65711d78669d7f8e69313be4acf2e

        SHA1

        6522ebf1de09eeb981e270bd95114bc69a49cda6

        SHA256

        aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

        SHA512

        05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        0e9fe0c5a7ab9bac3d206aaef763743c

        SHA1

        b2fe1b69b2220ade96f8e10eeb4301ce2245a48f

        SHA256

        988704213194f865ffeb8f8207cfa80a2cc912d493d414de74e243ec23610cfb

        SHA512

        dddf48e4aa8bd65316a9bf3859422acf9abc1bb07df6b916e6f2f87709fc48c22cd6c474fc807e2fc8694a1c6323f6bece1c83273877b640cf7377236fc370ae

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\7269\Champion.exe.pif
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\00000#4
        Filesize

        12KB

        MD5

        4839bb17c0c82a044dbd0072c6c98cb6

        SHA1

        3c06dcc178dd8a8e2290b746cfc7e704a537c91f

        SHA256

        a7e6636cd2ba510513484cfea9201884f64f7b664951402b909caf9728704ec2

        SHA512

        13d607b989efca3105363a10f481ef02fdcfcd5da4a267da0b87f3f2417456e672337c8e6332e0be286f6401bea203149a1cd23a24a8006f689b32e9d6199b55

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\00001#45
        Filesize

        872KB

        MD5

        a3b85111ecdfc29672319893192bb7fd

        SHA1

        4ec865fd387eade4cd0b0ad8cabd68cae89ac8d5

        SHA256

        ec8149d7c157e53108c089f07b8d2bf1156b8c1f8632c938a2130279927e2367

        SHA512

        0c9e75843ebe962246a0fd2d15e2b90ae71257aac15ee7b1cf12a3fc383a144fef5959c0a81c7d9f55ef6893937b1a9868a7c2546d70045c40810a7b3a0be804

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\00002#7
        Filesize

        1.5MB

        MD5

        536073c3748e4eb7bbee303547b7227d

        SHA1

        4397b1d855e799f4d38467a848cda2273c1c6c73

        SHA256

        8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3

        SHA512

        3b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe
        Filesize

        392KB

        MD5

        a7a99a201774531d761f6aac2651a9df

        SHA1

        b122ae368c4bf103e959a6ebb54ddb310117ab96

        SHA256

        e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

        SHA512

        056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Engine.exe
        Filesize

        392KB

        MD5

        a7a99a201774531d761f6aac2651a9df

        SHA1

        b122ae368c4bf103e959a6ebb54ddb310117ab96

        SHA256

        e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

        SHA512

        056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Modern_Icon.bmp
        Filesize

        7KB

        MD5

        1dd88f67f029710d5c5858a6293a93f1

        SHA1

        3e5ef66613415fe9467b2a24ccc27d8f997e7df6

        SHA256

        b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

        SHA512

        7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_26658\Setup.txt
        Filesize

        2KB

        MD5

        ae90fca8c12f2c43c468fbd0954381f7

        SHA1

        d475bb8f5891ab5f4c7cd2c90847cbfa68758842

        SHA256

        d9f67a975a877aa95e76821542311adb21704988d8452916d5b51feeeff3e720

        SHA512

        6880c7b658b7852bfcd597a57fd6e85f8a218e18d7acc248edc8efb2bea5a61063c4eeb5ae48008cc07408501c1af0eefc6a9010820ba823ab3fe66dae1f9041

        Download Submit
      • memory/816-161-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/816-162-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/816-140-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/816-132-0x0000000000000000-mapping.dmp
        Download
      • memory/1160-160-0x0000000000000000-mapping.dmp
        Download
      • memory/1536-152-0x0000000006A50000-0x0000000006A72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1536-144-0x0000000004FE0000-0x0000000005016000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1536-149-0x0000000006530000-0x000000000654E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1536-150-0x0000000007700000-0x0000000007796000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1536-151-0x0000000006A00000-0x0000000006A1A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1536-147-0x0000000005E50000-0x0000000005EB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1536-153-0x0000000007D50000-0x00000000082F4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1536-148-0x0000000005EC0000-0x0000000005F26000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1536-146-0x0000000005CB0000-0x0000000005CD2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1536-145-0x0000000005650000-0x0000000005C78000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1536-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1968-167-0x0000029E2D440000-0x0000029E2D450000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1968-168-0x0000029E2D540000-0x0000029E2D550000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2372-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2896-142-0x0000000000000000-mapping.dmp
        Download
      • memory/3076-158-0x0000000000000000-mapping.dmp
        Download
      • memory/4060-154-0x0000000000000000-mapping.dmp
        Download
      • memory/4080-166-0x0000000005420000-0x00000000054B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4080-164-0x0000000000F00000-0x0000000000FA6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/4080-163-0x0000000000000000-mapping.dmp
        Download
      • memory/4080-169-0x0000000006DB0000-0x0000000006F72000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4080-170-0x0000000006C60000-0x0000000006CD6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4080-171-0x00000000074B0000-0x00000000079DC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/4080-172-0x0000000007180000-0x000000000719E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4772-157-0x0000000000000000-mapping.dmp
        Download