Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 18:51

General

  • Target

    851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe

  • Size

    7.3MB

  • MD5

    82cf1c1a6e7f52327e4a01651cb22a8d

  • SHA1

    2a57061f724bb650bd961d63cf3e93f60c158eb5

  • SHA256

    851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39

  • SHA512

    89e422babe9e310e10da8c15dd8a33dbc994585b93d0265bce7e14d17cf2b7bb8f5dd5ac072cbd4d69ff0ce3ab2b3a9ec3d3ed024b70b51c1f08cb0e5605d8c4

  • SSDEEP

    12288:2XgvmzFHi0mo5aH0qMzd58c7FcquPJQPDHvd:2XgvOHi0mGaH0qSdDFcT4V

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 31 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
    "C:\Users\Admin\AppData\Local\Temp\851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\agkps.exe
      "C:\Users\Admin\AppData\Local\Temp\agkps.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2980
    • C:\Users\Admin\AppData\Local\Temp\agkps.exe
      "C:\Users\Admin\AppData\Local\Temp\agkps.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          b36d16459af72b0ee089c3d52fddd22b

          SHA1

          bbe8604bc9725d1e45d78dd058332722394609b6

          SHA256

          b3ed0c2d5943a2be666cafcedda787f72557748aa36eb066836e2d4f2c8878c6

          SHA512

          8783334a7cadc8f1ee1aaa8e8f9859ca7cc8abb8e849ae210a0915054e61afa07c30e545d09b7167e9c2617b72d3b707c2fb5473ecec7b7b0a2cc53aff1c41e8

        • C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          c969fc99d63bd48ac7b517de639efa7b

          SHA1

          81c228dc57c4d1f611b8a63a4df8ed2fe349fb43

          SHA256

          2cff85741166e34d907299dda409a86a2330cd6fa7a4e986e0fecfca2011ab75

          SHA512

          1b21e4c912ff2e39a8cefe253b509e8b6f0a9c1aafda97678accfea4df8afe69eb4295a78ea29d81a503030ecc9d7ed6c6c32cfafb2a309f8e67d9e96af91b65

        • C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          b77180f6dd21f2f89498ecf6d45c036f

          SHA1

          3f91de73a9cc204536c6a0b33bab575c114ae1bc

          SHA256

          48941c95f23e2ca0d350f65850b11a6fc74d87a7cea85ddea28eb8489a1c78d8

          SHA512

          d3e010c40fd82fc5bb451d545b963e30e9bfb9eb6646b26f1b35b1ecaee44e2cc8f61f3229914c0da4da7bc2e5c84f99286c590c5c9ee680172ab4a2f50297a9

        • C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          6515033da572d1dae8dc11320e34411a

          SHA1

          206da525e70befe2c0c09caaf15da2add3234778

          SHA256

          505fcb97af61525af29bd3bc82f6fead8b5df14b801d7509befe4e1800ff73b0

          SHA512

          0db418627037374b128a33c08d237e37f8fad712cf9e5d11137f49cd27e6c91972bf9368f88dc22939ce6329d6e71122e8de46f8ec791df1c127c6ae93926ecd

        • C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          0ae582f3fae8a954ba9f7ee34c3a9b7c

          SHA1

          275eefc13f7963adbff4ead0aed78713349f5d84

          SHA256

          b0fef6c40eebf41328abf54f08535e3d7a5d007b1a36b4f5078b50a4cb80662f

          SHA512

          c7870b988402554736b8223f7837d2985651c3d8a9e119482eb7c150bcac204986cecde2ad603770b72f5d7b9864916702ade83f80970b42dd3109e029b5e479

        • C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          d425c42a94d1d3ba211751d4ab5ae2b3

          SHA1

          91537e88d1cec9379ac6959a6045a31c0affeeca

          SHA256

          22cc8690df4fd4362e1a29049c1593f217777946668b12d7cab809d1f7fd7f7a

          SHA512

          cce4257e3b3a622fd8edad736b50a58a47ae4c6c1114f210002cb9c414831a28c360330bccce4e7f2dd05eaa7c70ed4a27df9bb82fb6202fb7cb479cc96ed115

        • C:\Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de

        • C:\Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de

        • C:\Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de

        • C:\Users\Admin\AppData\Local\bcbbzefxdyejlhsqcobcbb.efx

          Filesize

          280B

          MD5

          52020bd208269376a96a60a7adc42fec

          SHA1

          6ee83f9f0b64ec588f49e56341e0a085b544143d

          SHA256

          c711dcb406139c81e73c9376f1f633f5aaee5fa206192ca2fbd6c3de377a87f6

          SHA512

          b35954925834e85b6207e94ec0c891c20cd3d74169cfb045f184413a4f2d0836d77ce3706a9de82d180f785325be05d46f0b2da5ef5e2bfaa8087e0a33aa0606

        • C:\Users\Admin\AppData\Local\seoziyknekbrelhqnkiuepyoaduarhubx.day

          Filesize

          4KB

          MD5

          2f3c700d3aca0d8400dc94ff99870590

          SHA1

          bb500ae18cea6a06cd40a4741711e019b8559c3d

          SHA256

          804536df9a3c221a4315fc8edaeea753195faf2caad29d81bd65cab1e7b2b106

          SHA512

          201df1e133ef96b8ad0125aa7881e687f494210a42556e18e098a3e132b548ec5aba1bc73299c7b662bbbc7863caa9224deeee9d7aed4b2763ac4233fec07d06

        • \Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de

        • \Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de

        • \Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de

        • \Users\Admin\AppData\Local\Temp\agkps.exe

          Filesize

          9.2MB

          MD5

          e6ad4a10ecdd8e210eab680d3c9f8c9e

          SHA1

          e418a690665ee25f83168012faf798f67a76015d

          SHA256

          c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd

          SHA512

          7b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de