Overview

overview

10

Static

static

3

44dc942677...93.exe

windows7-x64

10

44dc942677...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44dc942677e75933760dd468f991484daa89de0d4ba93b7564a19c9fe3bd5993.exe

  • Size

    320KB

  • MD5

    9b861f6866eff9136f10a9c87509ed5b

  • SHA1

    151af021a3e1e1425c25df510144d908b07c416b

  • SHA256

    44dc942677e75933760dd468f991484daa89de0d4ba93b7564a19c9fe3bd5993

  • SHA512

    ee5f0914745b29a76b81f9ffebafe0194f7309982d5dc8b0d60971a4e4dfca35f582b6204171979ce6354900f7169750358858c9d629a2a5a9f510f7690f8920

  • SSDEEP

    6144:gTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:uXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 30 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\44dc942677e75933760dd468f991484daa89de0d4ba93b7564a19c9fe3bd5993.exe
    "C:\Users\Admin\AppData\Local\Temp\44dc942677e75933760dd468f991484daa89de0d4ba93b7564a19c9fe3bd5993.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe
      "C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2600
    • C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe
      "C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    f2de69eb1ca5fa21f12be4d1e374d935

    SHA1

    9f667a31fc6a0a2bf81ba000d5258a2bc4425b8b

    SHA256

    386d08cd56d90b4b2d3ee35d91131c6a9154a13990ab4cd46303a15164c4e585

    SHA512

    003e277f7beee3a5b61932b4ad9ee7573949699b7f49dbeabe20eda4a510a79cebea0666b281094e1aeba512d543562c5d943aec191f436d5cfc1dff6cea12bd

    Download Submit

  • C:\Program Files (x86)\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    082e7eb272a297c775273863c3d90c57

    SHA1

    9bc40fb144ffa1581cf773218ed6fddb884cb9f3

    SHA256

    407908921c67fad2bcb11c29c0ddc5db81a084439b848e9da9847414d19f7252

    SHA512

    5e72ce25515dbc69d2ffa275b9dfac66d439861313d5d18274b8e0d4c2b9634e31811e7ae9bf11f14eb958291dd330cac2bf064ef1b4425a525b1e636d548ed5

    Download Submit

  • C:\Program Files (x86)\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    3e1f3776dfae342e1ed6609ec55b20bd

    SHA1

    5a5fa84d76052c8ec85b028fd988af74d7b88c80

    SHA256

    c7dd9bff3e3f69c332562c78b1b5352a4880fc35eb304a56ca8a76e01c39c536

    SHA512

    5b76fac1b9dc2e75b6cc20fe1df4b6370814070e898f3a7db9b9df16658592a2591b021419074a3661f0251f97856c1bd9bf1c647478443d8d9c4c72a662cc30

    Download Submit

  • C:\Program Files (x86)\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    d2961c6b15f8164d2087943aaf31403f

    SHA1

    c8ef2a93b1ceebf04e2343c189e59f933cd649c3

    SHA256

    96786ce35cb02ba436bcce7baa8d84ad328127347c4b58c0a4dcb0462c79a409

    SHA512

    b6270b5596128f72c858d2caf7774131fe9e184eb8278d5d20f6cda49ea8cab76cd1529476e789bd2911327bbf5b9ee398f4ac55de44cff0774e39d6b374229b

    Download Submit

  • C:\Program Files (x86)\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    7ab41b96f41fe225bac7a98f45efca3f

    SHA1

    c71ecf7214f87d001694022f224b4db70c8842ec

    SHA256

    dc708c305c730a6f3dc5f96a520ed17c55bd903dc803d6dfbf6288428ce4dd75

    SHA512

    8672ddc84b811084aa6a4c6cdfd99bc83967b62b2bf4f1bb9c9d4574b1f08280d7c340df189013c06ee69b91301ed48e7c81aed09f7aba69c213ad36de3cc404

    Download Submit

  • C:\Program Files (x86)\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    e22a8c13aaddb80f38bbfdd8e7f3311d

    SHA1

    7587079f21bcb653b19e7620e0cce2c5a3c8f28c

    SHA256

    477596cd865715e8cbb14a2e53ebc2f66181a26bb48edd47199d9fdf98f35b73

    SHA512

    6edd485379cf41a289dc2cbe108068a97419f52911771c7c39eaf3f3fadeb1383aa3118c49af2073c98612fc47a55ba2a31b0784aa9e23d27e31da70415bb19d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit

  • C:\Users\Admin\AppData\Local\pdpahykvdjczdkjqujftfqxoaltzsptaz.kzv
    Filesize

    4KB

    MD5

    f2648cebb98ea39993b519800c2e3be8

    SHA1

    463ec241254d35c309285049567824efdc2fcf09

    SHA256

    ca0d10fee7552651b6e74d37c54d2a8754c5f6ec333c69970e42da1326a76d19

    SHA512

    cdf9a65eededdbc02cf28b6456868cf2ca970d7d5e1937fdd8a9eb1cce9aec461d6c7e5c82650369e30669c8cb5897bc549aec1bfad57aefd5fcff04d1533ffe

    Download Submit

  • C:\Users\Admin\AppData\Local\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    e43e2ee0e77a837d489d4648c10978a0

    SHA1

    5fa3d257c48796523796329e1139f78122be2e75

    SHA256

    72415ea6cc04d301935acfaa894a11f0d96162d5c4799e8f8b2c391423b85d4f

    SHA512

    e1d5690b04a3bfcc29725381c57e2f13c6115b84be21151ceebc05ad36f84389808174bd56995507d9a3d9a3f48b26dea4b1324f3b9f112c410838875c045906

    Download Submit

  • C:\Users\Admin\AppData\Local\ybccyeffcxfrkguqjnybcc.eff
    Filesize

    280B

    MD5

    246b1da5ea4313f8ee6d08f78a099fe4

    SHA1

    099eac75fbe13b3414fa77cbcf3c4ea4a724aaa6

    SHA256

    f7b6572e423452e2beb0b19d95a77cdd1fedde90cefa09d4c4aba508c84fb7a1

    SHA512

    1342dc7481ddc5ef383da3f4dd0cab090a0f4cd2215e9b3816227df1c8a3867f01b89d6e5f44d5bf8cd2ed0320e20d4098d9d517564d86acf607938a2da0a8e1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vfnuxks.exe
    Filesize

    700KB

    MD5

    23a5acb1fa6a686b4fb90c7ea31f8462

    SHA1

    a5c9612b9c50b4c2141a71907d388ab547dfcc0b

    SHA256

    f7138e4df80c0059bea65f9fde7089157d6b86185b36d902f06ff782867f77ba

    SHA512

    2bd8665527112e3938909a4a6e1a0f553a189e13de67023cb07b89d33da96fd0006beab22c7efed57c20cfcfac5c80837aff1fa64afbffcb50a247da3921e91d

    Download Submit