1449fce2d52bd0dd8dc422a0c5d17f4ab20af9615e0620d0e0992dca62a27ee9

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/03/2023, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eh.exe
Size

35KB
MD5

ea24f9297d11023076d9b10de14d15ec
SHA1

7a399ba2d7bc9b878d457a98bb34c325fb0ed164
SHA256

7a17c25be0c3e70aaea4f8987d981ea2042fdea62a13d60c430a0fc58b86db1f
SHA512

f1c63394a47510cfd396c802c4fc06c5bf3cd83ec27815326e2819b96dbeb19b62ed8ff8984cff07e9e4211a8dcd5c06339cc91ae8dcfa794fb717d302544e13
SSDEEP

768:g2B3kHsILvVTqUf7oViM9CCF9rnNR3u0+6C1nbcuyD7U8u:PeM9ICpPF9rNoyCnouy8H

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 1 IoCs

pid	Process
1992	eh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-55-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1992-57-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360se = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eh.exe"	eh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	eh.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eh.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	eh.exe
File opened (read-only)	\??\s:	eh.exe
File opened (read-only)	\??\u:	eh.exe
File opened (read-only)	\??\z:	eh.exe
File opened (read-only)	\??\e:	eh.exe
File opened (read-only)	\??\h:	eh.exe
File opened (read-only)	\??\k:	eh.exe
File opened (read-only)	\??\m:	eh.exe
File opened (read-only)	\??\x:	eh.exe
File opened (read-only)	\??\j:	eh.exe
File opened (read-only)	\??\o:	eh.exe
File opened (read-only)	\??\r:	eh.exe
File opened (read-only)	\??\w:	eh.exe
File opened (read-only)	\??\t:	eh.exe
File opened (read-only)	\??\g:	eh.exe
File opened (read-only)	\??\i:	eh.exe
File opened (read-only)	\??\l:	eh.exe
File opened (read-only)	\??\q:	eh.exe
File opened (read-only)	\??\f:	eh.exe
File opened (read-only)	\??\p:	eh.exe
File opened (read-only)	\??\v:	eh.exe
File opened (read-only)	\??\y:	eh.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\7081618.DEP	eh.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rkdltecq\qioihz.pif	eh.exe
File opened for modification	C:\Program Files (x86)\Common Files\rkdltecq\qioihz.pif	eh.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1696	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe
1992	eh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	eh.exe
Token: SeDebugPrivilege	1992	eh.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1944	1992	eh.exe	28
PID 1992 wrote to memory of 1944	1992	eh.exe	28
PID 1992 wrote to memory of 1944	1992	eh.exe	28
PID 1992 wrote to memory of 1944	1992	eh.exe	28
PID 1944 wrote to memory of 1696	1944	cmd.exe	30
PID 1944 wrote to memory of 1696	1944	cmd.exe	30
PID 1944 wrote to memory of 1696	1944	cmd.exe	30
PID 1944 wrote to memory of 1696	1944	cmd.exe	30

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eh.exe

C:\Users\Admin\AppData\Local\Temp\eh.exe
"C:\Users\Admin\AppData\Local\Temp\eh.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc stop policyagent
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc stop policyagent
    3⤵
    - Launches sc.exe
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\7081618.DEP

Filesize
5.1MB

MD5
4d1560a3efcbf9c784a8405224a328fc

SHA1
b1c129eed09e710aa952335411c34a6a41f0ae9b

SHA256
b930506c9000d3c36583e4ebf52985fdbb3a0aaab78e30412d882b6455160837

SHA512
8b5d35ad2020e5c6b5804cf519a64ff09c175798b03792be157ee70b2f9c359b5271e30b7dce0111de78825f6f8cecfd269537c7e5df938a205c5a64f8234fc3

Download Submit
memory/1992-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1992-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download