Overview

overview

10

Static

static

7

1111111111...11.exe

windows7-x64

6

1111111111...11.exe

windows10-1703-x64

6

1111111111...11.exe

windows10-2004-x64

6

9VIcoCiitn.exe

windows7-x64

6

9VIcoCiitn.exe

windows10-1703-x64

6

9VIcoCiitn.exe

windows10-2004-x64

1

Microsoft Windows.exe

windows7-x64

10

Microsoft Windows.exe

windows10-1703-x64

10

Microsoft Windows.exe

windows10-2004-x64

10

New.exe

windows7-x64

7

New.exe

windows10-1703-x64

7

New.exe

windows10-2004-x64

7

SBLlgcMqPg.exe

windows7-x64

10

SBLlgcMqPg.exe

windows10-1703-x64

10

SBLlgcMqPg.exe

windows10-2004-x64

10

hh.chm

windows7-x64

10

hh.chm

windows10-1703-x64

8

hh.chm

windows10-2004-x64

8

nY4Ke1JkQH.exe

windows7-x64

10

nY4Ke1JkQH.exe

windows10-1703-x64

10

nY4Ke1JkQH.exe

windows10-2004-x64

10

qnr.dll

windows7-x64

3

qnr.dll

windows10-1703-x64

3

qnr.dll

windows10-2004-x64

3

˫װ.exe

windows7-x64

7

˫װ.exe

windows10-1703-x64

7

˫װ.exe

windows10-2004-x64

7

�...װ.exe

windows7-x64

7

�...װ.exe

windows10-1703-x64

7

�...װ.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    185s
  • max time network
    295s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-10-2023 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft Windows.exe

  • Size

    1.7MB

  • MD5

    48154d5b444c7e235da7be4a0f2ade3a

  • SHA1

    57c00c9f26309b28bd4f725adbe2db10dce979e2

  • SHA256

    8936302e7140a879dc4ea137692a370f5876b9ccd1a63b9f1d930456b3338ba8

  • SHA512

    9e3bf380bb417ca7ae7b5a0986fa3fb1f99dc0d93329557adc17895f273e6bb98e2926ed671c4b566a7c024a15aec58ec575b7c622ed2fb020a49a9c05e2ae45

  • SSDEEP

    49152:FjHh/f9vfZryVsqv63smC88jukhTwp1mU9E:tp9vfpWsZcv6uyjE

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft Windows.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Windows.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEBC.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3632
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2836
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4380
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
          4⤵
          • UAC bypass
          • Windows security bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:784
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" -Force
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3448
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
            5⤵
              PID:4404
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
            4⤵
              PID:4500

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        1c19c16e21c97ed42d5beabc93391fc5

        SHA1

        8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

        SHA256

        1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

        SHA512

        7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        faa39055dcea49e3dbbe45d74e295480

        SHA1

        4503927a845b8de8462b304502d0a1fd2c5f7ec8

        SHA256

        de190f96817941fb555bba9f8db0f0d35f13ad77d9fe21d5670ef1b8296ba781

        SHA512

        aa49ad17618e02e8e3fc9fcff6d986dc67da3c6e2902f7e125af4b491338c60b2b13df0a824c5347ccff0786f13aa15ee2275f2f81389032a4ea71a4a41a3931

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aown4s2k.m2y.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpBEBC.tmp.bat
        Filesize

        151B

        MD5

        88d134df3eecef1856d634cee9947267

        SHA1

        8761fcc8dd9a47ca1f777d9da08fd5fad7c8eae4

        SHA256

        c113d1dbc7503348405fbc8f4221710502667178ab5b7b7e6e7938e7f6c718e0

        SHA512

        1a5291006630169f2457cc041b1782cfaeee42ab93960b579866c2f7e7da350b3cb1628f6ea8d7924c0394e39c0a40fec3bcdc15e34ddb465ef7723233092451

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.7MB

        MD5

        48154d5b444c7e235da7be4a0f2ade3a

        SHA1

        57c00c9f26309b28bd4f725adbe2db10dce979e2

        SHA256

        8936302e7140a879dc4ea137692a370f5876b9ccd1a63b9f1d930456b3338ba8

        SHA512

        9e3bf380bb417ca7ae7b5a0986fa3fb1f99dc0d93329557adc17895f273e6bb98e2926ed671c4b566a7c024a15aec58ec575b7c622ed2fb020a49a9c05e2ae45

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.7MB

        MD5

        48154d5b444c7e235da7be4a0f2ade3a

        SHA1

        57c00c9f26309b28bd4f725adbe2db10dce979e2

        SHA256

        8936302e7140a879dc4ea137692a370f5876b9ccd1a63b9f1d930456b3338ba8

        SHA512

        9e3bf380bb417ca7ae7b5a0986fa3fb1f99dc0d93329557adc17895f273e6bb98e2926ed671c4b566a7c024a15aec58ec575b7c622ed2fb020a49a9c05e2ae45

        Download Submit
      • memory/424-5-0x0000000002A20000-0x0000000002A3A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/424-11-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/424-4-0x0000000005340000-0x000000000549E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/424-0-0x00000000006B0000-0x0000000000874000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/424-3-0x0000000005330000-0x0000000005340000-memory.dmp
        Filesize

        64KB

        Download
      • memory/424-2-0x0000000005170000-0x000000000520C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/424-1-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/784-29-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/784-20-0x0000000000400000-0x0000000000548000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/784-47-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/784-31-0x0000000009690000-0x00000000096A0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/784-32-0x0000000009510000-0x0000000009654000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2836-17-0x0000000006900000-0x0000000006DFE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/2836-16-0x0000000006200000-0x0000000006300000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2836-26-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2836-15-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3448-337-0x0000000007010000-0x0000000007020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3448-52-0x0000000007010000-0x0000000007020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3448-504-0x00000000071E0000-0x00000000071E8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3448-532-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3448-49-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3448-50-0x0000000007010000-0x0000000007020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3448-285-0x0000000007010000-0x0000000007020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3448-495-0x00000000071F0000-0x000000000720A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3448-244-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3448-107-0x0000000009A30000-0x0000000009AC4000-memory.dmp
        Filesize

        592KB

        Download
      • memory/3448-106-0x0000000007010000-0x0000000007020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3448-93-0x0000000074D80000-0x0000000074DCB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3448-103-0x0000000009850000-0x00000000098F5000-memory.dmp
        Filesize

        660KB

        Download
      • memory/3448-91-0x000000007EAB0000-0x000000007EAC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4380-21-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4380-92-0x0000000008AC0000-0x0000000008ADE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4380-96-0x000000007F130000-0x000000007F140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4380-89-0x0000000074D80000-0x0000000074DCB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/4380-90-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4380-88-0x0000000008AE0000-0x0000000008B13000-memory.dmp
        Filesize

        204KB

        Download
      • memory/4380-104-0x0000000006700000-0x0000000006710000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4380-105-0x0000000006700000-0x0000000006710000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4380-55-0x0000000007C70000-0x0000000007CE6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4380-54-0x0000000007940000-0x000000000798B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/4380-53-0x0000000007800000-0x000000000781C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/4380-51-0x00000000074B0000-0x0000000007800000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4380-45-0x0000000006CD0000-0x0000000006D36000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4380-44-0x0000000006BF0000-0x0000000006C56000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4380-39-0x0000000006A50000-0x0000000006A72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4380-30-0x0000000006D40000-0x0000000007368000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4380-27-0x0000000006700000-0x0000000006710000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4380-535-0x000000007F130000-0x000000007F140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4380-25-0x0000000004120000-0x0000000004156000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4380-538-0x0000000072D40000-0x000000007342E000-memory.dmp
        Filesize

        6.9MB

        Download