Overview

overview

10

Static

static

7

trojan-lea...35.exe

windows7-x64

8

trojan-lea...35.exe

windows10-2004-x64

8

trojan-lea...07.exe

windows7-x64

8

trojan-lea...07.exe

windows10-2004-x64

AIDS_NT.exe

windows7-x64

AIDS_NT.exe

windows10-2004-x64

Abantes.exe

windows7-x64

10

Abantes.exe

windows10-2004-x64

10

trojan-lea...ys.exe

windows7-x64

7

trojan-lea...ys.exe

windows10-2004-x64

7

trojan-lea...er.exe

windows7-x64

3

trojan-lea...er.exe

windows10-2004-x64

8

trojan-lea...32.exe

windows7-x64

10

trojan-lea...32.exe

windows10-2004-x64

10

trojan-lea...32.exe

windows7-x64

trojan-lea...32.exe

windows10-2004-x64

trojan-lea...64.exe

windows7-x64

trojan-lea...64.exe

windows10-2004-x64

trojan-lea...ne.exe

windows7-x64

1

trojan-lea...ne.exe

windows10-2004-x64

1

trojan-lea...64.exe

windows7-x64

1

trojan-lea...64.exe

windows10-2004-x64

1

trojan-lea...er.exe

windows7-x64

trojan-lea...er.exe

windows10-2004-x64

trojan-lea...ks.exe

windows7-x64

1

trojan-lea...ks.exe

windows10-2004-x64

trojan-lea...ix.exe

windows7-x64

6

trojan-lea...ix.exe

windows10-2004-x64

6

trojan-lea...V).exe

windows7-x64

10

trojan-lea...V).exe

windows10-2004-x64

10

trojan-lea...23.exe

windows7-x64

1

trojan-lea...23.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2023 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Abantes.exe

  • Size

    2.7MB

  • MD5

    cd2e58136d3049e9be40ae29f9250c93

  • SHA1

    e97beb8b87d130e5c5745981e3614ed6aa3caae3

  • SHA256

    dac4b5511343cf863832e38886af8a3e1d55529648314eb02cc21fa3979f6419

  • SHA512

    3ad23ad35d23acfa9edc187f443f28c4bb11279472632726f450b10cc09a653e10f4832f9cca44d063ad1259de6c7017ca6ca8f64ed07d302c3b2d06628f0ba7

  • SSDEEP

    49152:yi98eUDa7+tCg3e+zNWZjUDa7+tCg3e+zNWyUDa7+tCg3e+zNWR9Bh:yAC+7+p3ej2+7+p3ejh+7+p3ejDBh

Score
10/10
discoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Possible privilege escalation attempt 14 IoCs
    exploit
  • Sets file execution options in registry 2 TTPs 49 IoCs
    persistence
  • Modifies file permissions 1 TTPs 14 IoCs
    discovery
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 17 IoCs
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 16 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Abantes.exe
    "C:\Users\Admin\AppData\Local\Temp\Abantes.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Sets file execution options in registry
    • Modifies system executable filetype association
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\Defender\Action.bat""
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f logonui.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\SysWOW64\icacls.exe
        icacls logonui.exe /granted Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:216
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Windows\System32\en-US" /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:228
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\System32\en-US" /granted Admin:F /T /C
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1412
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f explorer.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3552
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f regedit.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f HelpPane.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3492
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Windows\Temp" /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3564
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Windows\en-US" /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4848
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\Temp" /granted Admin:F /T /C
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1756
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\en-US" /granted Admin:F /T /C
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3448
      • C:\Windows\SysWOW64\icacls.exe
        icacls regedit.exe /granted Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4936
      • C:\Windows\SysWOW64\icacls.exe
        icacls explorer.exe /granted Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4632
      • C:\Windows\SysWOW64\icacls.exe
        icacls HelpPane.exe /granted Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4568
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' set FullName='Abantes Was Here'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4312
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' rename 'Abantes Was Here'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5104
      • C:\Windows\SysWOW64\netsh.exe
        NetSh Advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:3720
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        PID:4812
      • C:\Windows\SysWOW64\timeout.exe
        TIMEOUT 1
        3⤵
        • Delays execution with timeout.exe
        PID:3768
      • C:\Windows\SysWOW64\timeout.exe
        TIMEOUT 2
        3⤵
        • Delays execution with timeout.exe
        PID:1296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Defender\Action.bat
    Filesize

    1KB

    MD5

    8b3585b4f84496c306b6c082ea6e52ef

    SHA1

    04bf1cf0f68a571e746fb7c863f71fa70e0e79d3

    SHA256

    d06d5f8501501af5677b133ff7aa531ccf1bf9b2673a1f26117f0420532b599e

    SHA512

    733bb98473fc8b3c8f0f96ff5ccec9212c36f7162742ee124d6a0edd0186e171ec61de97a3268663812802c90d29cd1e5077af72e02f550d94d67ebe106c0591

    Download Submit

  • C:\Windows\Defender\authui.dll.mui
    Filesize

    21KB

    MD5

    a3a8fb6325f2f4fd31039775be19a9a4

    SHA1

    dba1acba938c8720b23b992ef77f130b6dbe7428

    SHA256

    6baf83c2c45f0e3a1a1dedc799cce6adb766dabe25baa847f9dd308aae0218eb

    SHA512

    9a03528d3b1a6a0bc3fbce6149d1cf6e21fe629c53d1b93954e6147cdfbf95eb272e75dbf906e38a1981706e71f679fda680cdf8601491ba792576c9b54d043e

    Download Submit

  • C:\Windows\Defender\explorer.exe.mui
    Filesize

    15KB

    MD5

    39f1a6a8b713fcf30afc03ea3c936f85

    SHA1

    9209b25730c7896e047e5a4fc1da73c294e55c0e

    SHA256

    b69b61675531060d350a795a53568ccf19a146060cebb659ebc658a0e8b27fc9

    SHA512

    82b402b1c94fb8444e9d32f10becad994715667fc36d427faf6ae4f433c8e7025c3ca387e6cae7fb4e14f2e9f36446354c1c2585445fd79e7673b78419232780

    Download Submit

  • memory/1312-133-0x0000000000A50000-0x0000000000D08000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1312-134-0x0000000005DE0000-0x0000000006384000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1312-135-0x0000000005760000-0x00000000057F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1312-136-0x0000000005800000-0x000000000580A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1312-137-0x0000000005820000-0x0000000005830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1312-161-0x0000000005820000-0x0000000005830000-memory.dmp

    Filesize

    64KB

    Download