1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/09/2023, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Size

11.1MB
MD5

4edebaf2db8a9692c62283a06ba37cc8
SHA1

ac698b4892c703ab1df30ad3995bef26537771df
SHA256

1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c
SHA512

9c411787cd579ff405c6f4ea863d3354cf9199315951ac04d84cfd06c21efa2dac0a74ea83b61c2cb30e129fdfad41e53008a003e64e7e54588d0404a9121644
SSDEEP

196608:+pjfEMCIgaPQ5sjWwjNvexZtT4gaZD/oStzCX/eu7aVhJnwz0a:+xxxgaPQqO94rD/oSgjaVTwz0

Score

10^/10

evasion trojan upx vmprotect

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-59-0x0000000001B70000-0x0000000001B97000-memory.dmp	upx
behavioral1/memory/1668-74-0x0000000001B70000-0x0000000001B97000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1668-4-0x0000000000400000-0x00000000019AD000-memory.dmp	vmprotect
behavioral1/memory/1668-10-0x0000000000400000-0x00000000019AD000-memory.dmp	vmprotect
behavioral1/memory/1668-57-0x0000000000400000-0x00000000019AD000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Langlizdgd\Í·Ïñ¿òÏÂÉåÑýÏã1.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\ºìÄ¾ÈÎÎñÍ¼.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\Ë®Ä«ÈÎÎñ.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\×óÉÏ½Ç.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\±³°üÈÎÎñÍ¼±ê.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\±³°üÉåÑýÏã.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\Í·Ïñ¿òÏÂÉåÑýÏã.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\ºìÄ¾ÈÎÎñÍ¼1.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\Ë®Ä«ÈÎÎñ1.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\×Ö¿â.txt	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\±³°üÈÎÎñÍ¼±ê1.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\ÈË²Î¹û.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
File created	C:\Windows\Langlizdgd\ó´ÌÒ.bmp	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 1	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeCreateTokenPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeAssignPrimaryTokenPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeLockMemoryPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeIncreaseQuotaPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeMachineAccountPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeTcbPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeSecurityPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeTakeOwnershipPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeLoadDriverPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeSystemProfilePrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeSystemtimePrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeProfSingleProcessPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeIncBasePriorityPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeCreatePagefilePrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeCreatePermanentPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeBackupPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeRestorePrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeShutdownPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeDebugPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeAuditPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeSystemEnvironmentPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeChangeNotifyPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeRemoteShutdownPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeUndockPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeSyncAgentPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeEnableDelegationPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeManageVolumePrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeImpersonatePrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: SeCreateGlobalPrivilege	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 31	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 32	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 33	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 34	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 35	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 36	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 37	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 38	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 39	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 40	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 41	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 42	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 43	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 44	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 45	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 46	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 47	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Token: 48	1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
1668	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe

C:\Users\Admin\AppData\Local\Temp\1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe
"C:\Users\Admin\AppData\Local\Temp\1eea5073c05f06eb99fc1a0bc1f19a9641037d507dadb6a4620cd875a563c93c.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1668-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1668-4-0x0000000000400000-0x00000000019AD000-memory.dmp

Filesize
21.7MB

Download
memory/1668-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1668-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1668-10-0x0000000000400000-0x00000000019AD000-memory.dmp

Filesize
21.7MB

Download
memory/1668-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1668-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1668-21-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1668-19-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1668-16-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1668-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1668-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1668-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1668-24-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1668-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1668-34-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1668-37-0x0000000077E20000-0x0000000077E21000-memory.dmp

Filesize
4KB

Download
memory/1668-36-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1668-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1668-47-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/1668-48-0x0000000003990000-0x0000000003A91000-memory.dmp

Filesize
1.0MB

Download
memory/1668-50-0x0000000004540000-0x0000000004DA4000-memory.dmp

Filesize
8.4MB

Download
memory/1668-54-0x0000000004540000-0x0000000004DA4000-memory.dmp

Filesize
8.4MB

Download
memory/1668-57-0x0000000000400000-0x00000000019AD000-memory.dmp

Filesize
21.7MB

Download
memory/1668-59-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1668-73-0x0000000004540000-0x0000000004DA4000-memory.dmp

Filesize
8.4MB

Download
memory/1668-74-0x0000000001B70000-0x0000000001B97000-memory.dmp

Filesize
156KB

Download
memory/1668-75-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/1668-76-0x0000000004540000-0x0000000004DA4000-memory.dmp

Filesize
8.4MB

Download