9080cc2e284d68e776957ad12e86455458ead9ba34d8afebe7ee2cc5a7514c05

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9080cc2e284d68e776957ad12e86455458ead9ba34d8afebe7ee2cc5a7514c05.dll
Size

73KB
MD5

82eae0084a91983e3730b537982b0d82
SHA1

8dc1e8c5957bd1089036b5c0f5b6ba7ebe227354
SHA256

9080cc2e284d68e776957ad12e86455458ead9ba34d8afebe7ee2cc5a7514c05
SHA512

823e9a51c6109d1e0d2e561043694694a7657ee2d663059973a1cad3cb6be2e687a8cab2bfe436bc8762d228c878951c5784e2868a2f4325b2999071b6aabd27
SSDEEP

1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGYhK5O:awsAik1a4pGYhK5O

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	EfRYBBd.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	2100	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
688	EfRYBBd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000022ce2-10.dat	upx
behavioral1/files/0x0008000000022ce2-16.dat	upx
behavioral1/memory/688-18-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/files/0x0008000000022ce2-17.dat	upx
behavioral1/memory/688-58-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	rundll32.exe
2100	rundll32.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
688	EfRYBBd.exe
688	EfRYBBd.exe
688	EfRYBBd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2100	1228	rundll32.exe	86
PID 1228 wrote to memory of 2100	1228	rundll32.exe	86
PID 1228 wrote to memory of 2100	1228	rundll32.exe	86
PID 2100 wrote to memory of 688	2100	rundll32.exe	96
PID 2100 wrote to memory of 688	2100	rundll32.exe	96
PID 2100 wrote to memory of 688	2100	rundll32.exe	96
PID 688 wrote to memory of 3568	688	EfRYBBd.exe	99
PID 688 wrote to memory of 3568	688	EfRYBBd.exe	99
PID 688 wrote to memory of 3568	688	EfRYBBd.exe	99

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	EfRYBBd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9080cc2e284d68e776957ad12e86455458ead9ba34d8afebe7ee2cc5a7514c05.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9080cc2e284d68e776957ad12e86455458ead9ba34d8afebe7ee2cc5a7514c05.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Public\Music\04gaTU\EfRYBBd.exe
    "C:\Users\Public\Music\04gaTU\EfRYBBd.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\xxxx.ini
      4⤵
      PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Music\04gaTU\Edge.jpg

Filesize
358KB

MD5
d76fadee79037b9c2d4895b951bf1ab2

SHA1
487f48958ad6186e7a3e7a2170ae1e60519e31fb

SHA256
c7cafde659ffe885b920d328b8c3fa48f11b1a27b3f32407dc0bd4136f01ef96

SHA512
60a5ee50dc4ea4b42fab0a832b3896c36e1b87b82eccd1395d72a966e7e96bfa855ab6a4d974ec69e28bdf2f250d75605f38ba9693fd0fa92f5659bbbbc51a6a

Download Submit
C:\Users\Public\Music\04gaTU\EfRYBBd.dat

Filesize
132KB

MD5
e2ae01ffcd50d0ba3a1d28b6d4107abe

SHA1
0bf3f51b4e058edb714592ac986d8202111e8a4b

SHA256
acb2266f817b21480c8ebfa39657d5459641b04bc5093125ed3dfef574fb9869

SHA512
76a3db7717b88fea1e58b9d51293907c065c11fad8f0add2457b6ad1cae5e98dbf7f7a8f08ea02e7d5b1a629a607620976b96fcacddf82758b6f7142286d759e

Download Submit
C:\Users\Public\Music\04gaTU\EfRYBBd.exe

Filesize
525KB

MD5
be59f9aeb601cc85d3a7acb0aaed87df

SHA1
091b8abbb014dec33e8a8cad5ad35a74cf7ca829

SHA256
0be4cea618247be2fbceb410571e5e633a7ea2448af3cad3472a1002a65ebba8

SHA512
a2473512a417ac4f55a07a7ce6c4b01c689817b8a27166fa045b27b896a89351e9353adf264ca163bffb03cef5355a1d5073b10872b523e38b94c786955cdffc

Download Submit
C:\Users\Public\Music\04gaTU\EfRYBBd.exe

Filesize
525KB

MD5
be59f9aeb601cc85d3a7acb0aaed87df

SHA1
091b8abbb014dec33e8a8cad5ad35a74cf7ca829

SHA256
0be4cea618247be2fbceb410571e5e633a7ea2448af3cad3472a1002a65ebba8

SHA512
a2473512a417ac4f55a07a7ce6c4b01c689817b8a27166fa045b27b896a89351e9353adf264ca163bffb03cef5355a1d5073b10872b523e38b94c786955cdffc

Download Submit
C:\Users\Public\Music\04gaTU\EfRYBBd.exe

Filesize
525KB

MD5
be59f9aeb601cc85d3a7acb0aaed87df

SHA1
091b8abbb014dec33e8a8cad5ad35a74cf7ca829

SHA256
0be4cea618247be2fbceb410571e5e633a7ea2448af3cad3472a1002a65ebba8

SHA512
a2473512a417ac4f55a07a7ce6c4b01c689817b8a27166fa045b27b896a89351e9353adf264ca163bffb03cef5355a1d5073b10872b523e38b94c786955cdffc

Download Submit
C:\Users\Public\Music\04gaTU\edge.xml

Filesize
76KB

MD5
c46452cabae6059a97b0a3d51b76640b

SHA1
e223be8e37e652235c87de1c68e23bb580026b69

SHA256
e5ed093694d413d608a4c080e214636ab379a9a325ebb58c24d2ed9040dcc60a

SHA512
dd7428a0f7db3697c21198e0c3aff811ce772541ac665e44cc7d0cc69b2e2881c10ee6f0c16e4ea464db6d26615b15fa6e5d4c28c32adac135d20cf97296c15f

Download Submit
memory/688-40-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/688-43-0x00000000037B0000-0x00000000037C7000-memory.dmp

Filesize
92KB

Download
memory/688-18-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/688-45-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/688-58-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/688-60-0x00000000037B0000-0x00000000037C7000-memory.dmp

Filesize
92KB

Download