ed04378d4fe8fd0814a4435d86b7097706413094c476b29f2539b08ae9592bc2

Analysis

max time kernel
33s
max time network
36s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed04378d4fe8fd0814a4435d8.exe
Size

1.8MB
MD5

4b24bb7eb024e319888f9e7e00fe4243
SHA1

c3607f61d72e6ec43cf7bf4f41d166eecaa27f58
SHA256

ed04378d4fe8fd0814a4435d86b7097706413094c476b29f2539b08ae9592bc2
SHA512

48c27f416e07307ee046ccab04fe868b0cf25fe178b002bcc1075adbc47d3fb7ae92b0e8709cdbd159f54755bd7c492e343d8da149d2a9a227836a8d315a0fc3
SSDEEP

49152:iRTQWltDVTODlosbWp6FjTxEeliYZ8+Y7JKQa:itzlnY/bW0FjTOKZJaJI

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

v.exe

pid process

1124 v.exe
Loads dropped DLL 2 IoCs

Processes:

ed04378d4fe8fd0814a4435d8.exev.exe

pid process

1188 ed04378d4fe8fd0814a4435d8.exe
1124 v.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
1124	v.exe

pid	process
1188	ed04378d4fe8fd0814a4435d8.exe
1124	v.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1188-66-0x0000000000400000-0x000000000083F000-memory.dmp	upx
behavioral1/memory/1188-70-0x0000000000400000-0x000000000083F000-memory.dmp	upx
behavioral1/memory/1188-71-0x0000000000400000-0x000000000083F000-memory.dmp	upx
behavioral1/memory/1188-78-0x0000000000400000-0x000000000083F000-memory.dmp	upx
behavioral1/memory/1188-81-0x0000000000400000-0x000000000083F000-memory.dmp	upx
behavioral1/memory/1188-103-0x0000000000400000-0x000000000083F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

860 reg.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ed04378d4fe8fd0814a4435d8.exe

pid process

1188 ed04378d4fe8fd0814a4435d8.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

v.exe

description pid process

Token: SeRestorePrivilege 1124 v.exe
Token: 35 1124 v.exe
Token: SeSecurityPrivilege 1124 v.exe
Token: SeSecurityPrivilege 1124 v.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ed04378d4fe8fd0814a4435d8.exe

pid process

1188 ed04378d4fe8fd0814a4435d8.exe
1188 ed04378d4fe8fd0814a4435d8.exe

pid	process
860	reg.exe

pid	process
1188	ed04378d4fe8fd0814a4435d8.exe

description	pid	process
Token: SeRestorePrivilege	1124	v.exe
Token: 35	1124	v.exe
Token: SeSecurityPrivilege	1124	v.exe
Token: SeSecurityPrivilege	1124	v.exe

pid	process
1188	ed04378d4fe8fd0814a4435d8.exe
1188	ed04378d4fe8fd0814a4435d8.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

ed04378d4fe8fd0814a4435d8.execmd.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 1192	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1192	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1192	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1192	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1148	1188	ed04378d4fe8fd0814a4435d8.exe	WScript.exe
PID 1188 wrote to memory of 1148	1188	ed04378d4fe8fd0814a4435d8.exe	WScript.exe
PID 1188 wrote to memory of 1148	1188	ed04378d4fe8fd0814a4435d8.exe	WScript.exe
PID 1188 wrote to memory of 1148	1188	ed04378d4fe8fd0814a4435d8.exe	WScript.exe
PID 1192 wrote to memory of 268	1192	cmd.exe	reg.exe
PID 1192 wrote to memory of 268	1192	cmd.exe	reg.exe
PID 1192 wrote to memory of 268	1192	cmd.exe	reg.exe
PID 1192 wrote to memory of 268	1192	cmd.exe	reg.exe
PID 1148 wrote to memory of 1852	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 1852	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 1852	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 1852	1148	WScript.exe	cmd.exe
PID 1852 wrote to memory of 1312	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 1312	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 1312	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 1312	1852	cmd.exe	reg.exe
PID 1188 wrote to memory of 1124	1188	ed04378d4fe8fd0814a4435d8.exe	v.exe
PID 1188 wrote to memory of 1124	1188	ed04378d4fe8fd0814a4435d8.exe	v.exe
PID 1188 wrote to memory of 1124	1188	ed04378d4fe8fd0814a4435d8.exe	v.exe
PID 1188 wrote to memory of 1124	1188	ed04378d4fe8fd0814a4435d8.exe	v.exe
PID 1188 wrote to memory of 1152	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1152	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1152	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1188 wrote to memory of 1152	1188	ed04378d4fe8fd0814a4435d8.exe	cmd.exe
PID 1152 wrote to memory of 572	1152	cmd.exe	cmd.exe
PID 1152 wrote to memory of 572	1152	cmd.exe	cmd.exe
PID 1152 wrote to memory of 572	1152	cmd.exe	cmd.exe
PID 1152 wrote to memory of 572	1152	cmd.exe	cmd.exe
PID 572 wrote to memory of 860	572	cmd.exe	reg.exe
PID 572 wrote to memory of 860	572	cmd.exe	reg.exe
PID 572 wrote to memory of 860	572	cmd.exe	reg.exe
PID 572 wrote to memory of 860	572	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ed04378d4fe8fd0814a4435d8.exe
"C:\Users\Admin\AppData\Local\Temp\ed04378d4fe8fd0814a4435d8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    PID:268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
      4⤵
      PID:1312
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\v.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /k C:\Windows\System32\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\xiaodaxzqxia\111

Filesize
1.1MB

MD5
b6672f5964eb4f8495ac54286af46c2c

SHA1
cc41541c3dfec64af741154dddf28a0a5b0c7876

SHA256
2b5fb8e16196b2c9f79406b5266de3f5a0709d7522e40f82f411df91e5d9b6b3

SHA512
fb0a0cf37fcb88e647ff444eb3b7fd4445ebad38726172d91f26bb8ec41998e655a2ab27e4e7abba4b628bb694d07d5197311368de59e7b67309ae605468e0e6

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\A.vbs

Filesize
107B

MD5
bcb223ea9c0598f04684216bcd0e12a6

SHA1
2661c8fbca3654a29fa261def7f16ea23a6f3165

SHA256
ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

SHA512
77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.bat

Filesize
275B

MD5
be7bbc9c7f6b505918f84b006b871965

SHA1
62f62090deb64ebdd93e2d48a1b85b3d0082415b

SHA256
259d09385d3e18e569e36542ea92eee43747ec48244659ca21ff6e20e9a9d91d

SHA512
84afc35227b5b590b5db0bb0e3c1c991202c0d6eef6ecc3ec9d7c097dce3e60d32c85915c7103efa413586a62e0ee7ae773fe13186a2f37825d1f20ac3f705e9

Download Submit
C:\Users\Public\xiaodaxzqxia\v.bat

Filesize
275B

MD5
be7bbc9c7f6b505918f84b006b871965

SHA1
62f62090deb64ebdd93e2d48a1b85b3d0082415b

SHA256
259d09385d3e18e569e36542ea92eee43747ec48244659ca21ff6e20e9a9d91d

SHA512
84afc35227b5b590b5db0bb0e3c1c991202c0d6eef6ecc3ec9d7c097dce3e60d32c85915c7103efa413586a62e0ee7ae773fe13186a2f37825d1f20ac3f705e9

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
memory/1188-81-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/1188-78-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/1188-71-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/1188-70-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/1188-66-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/1188-103-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download