Overview

overview

10

Static

static

3

1f4b313fd2...67.exe

windows7-x64

10

1f4b313fd2...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    207s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 19:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1f4b313fd275795b932c52c6869f1b311c8392c958dded3de094968a454c4567.exe

  • Size

    25.4MB

  • MD5

    0f2e90e6eda60de9fb5bf4c808df3156

  • SHA1

    591f128d268b558afa9757a95126c09a77fb1da3

  • SHA256

    1f4b313fd275795b932c52c6869f1b311c8392c958dded3de094968a454c4567

  • SHA512

    43e9c68db6287f3cb1d75e8d91b525902b84f9e4d71a35b8a52fc83d37a091d5bce8eff18b6ffb7311fd2d00f290f186e1316bdc2f4f0db5da846bd9e9bea39e

  • SSDEEP

    6144:q3Be8ySm8hQAAIfFrRXuEE+0l97mKwKdwHV+86JQPDHDdx/Qtqa:P/zkFF+EExZmKbdQV+PJQPDHvd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f4b313fd275795b932c52c6869f1b311c8392c958dded3de094968a454c4567.exe
    "C:\Users\Admin\AppData\Local\Temp\1f4b313fd275795b932c52c6869f1b311c8392c958dded3de094968a454c4567.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2596
    • C:\Users\Admin\AppData\Local\Temp\nnzelm.exe
      "C:\Users\Admin\AppData\Local\Temp\nnzelm.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2636
    • C:\Users\Admin\AppData\Local\Temp\nnzelm.exe
      "C:\Users\Admin\AppData\Local\Temp\nnzelm.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ezggiemkkpcwtifzevqxxzv.bbg
    Filesize

    272B

    MD5

    be543f50112758eabd58daaff9a9dc36

    SHA1

    8cecbf11392fadf35631a39eaaf3ebe477a158f4

    SHA256

    25e27e6e17406fd6e0aef91e4e018ff96566a4a0a9607e38fa4be8bf830e44ab

    SHA512

    ea5c0d110e5e3af614795b610611c497e1d4481cbf4720f5ce729c8f19f2772f6014a5ad5058399d459447ab72773d603a9fc4da73e6401d3f49d9cdcd2c117e

    Download Submit

  • C:\Program Files (x86)\ezggiemkkpcwtifzevqxxzv.bbg
    Filesize

    272B

    MD5

    43fcca30f06a5b3643da13c81665ae4f

    SHA1

    ad72072285a917ba8023531f61212b3e40d686ca

    SHA256

    f8b343250f5293d95b0fbd78c7eab30d666d944a68c4ea861806813c53a460aa

    SHA512

    f32f82c767d893da420a2e17e65bb3476e456e9b0e5bf5bfe2538ab46feea787441847e3fa2a01491126099a26d3181c73672557c0f56cde7c7cf0047fac4992

    Download Submit

  • C:\Program Files (x86)\ezggiemkkpcwtifzevqxxzv.bbg
    Filesize

    272B

    MD5

    14d0952bc4cf7c0d1129f84a85a470f1

    SHA1

    9f9de28c84774ad6178eb60ea45688b28baf78dd

    SHA256

    2a10909b17e25c31d4ad3fa504ef24fab363f85de6cbd9eafcc71b9077a830fc

    SHA512

    741f2449631cb91e728cfd459890dc64eccda950c5390bf40832079d5c3bdf7da3509aad30e0077b35e5fca4b22e18d09ae3b64875b5a2ed07e94dc0a0f57dee

    Download Submit

  • C:\Program Files (x86)\ezggiemkkpcwtifzevqxxzv.bbg
    Filesize

    272B

    MD5

    cf17a9c8546a85f840a24c49b9202a26

    SHA1

    175e6b60b8612e833fed438d5787469138f5c213

    SHA256

    bcd17e48c85d85b7b3ed7925a0d687ecdc5840019f4f03b6cc77edaf47a91b29

    SHA512

    491ce2cf092dcfbad2b1568b9c50df25385684e363e9f71227def934d0733e186128e34e9fe6d12d1880dc790ac80881cb3124336145806e2a3d10c7a29da27b

    Download Submit

  • C:\Program Files (x86)\ezggiemkkpcwtifzevqxxzv.bbg
    Filesize

    272B

    MD5

    e4dd9750e045ba56327fca42067a519f

    SHA1

    dda26335150bde68065fbc75c502a5518f373e52

    SHA256

    00f5d8abe8457ea8357b19548fa066f60130dececc578d4269f355633177b54b

    SHA512

    c45ae2a5dc5f628693dc7d74d492412d534c462c29a3fa57ea90c94109a8e9205fe53bb7315b785a19a07f3ebf12571cb48a10ec271246da1e1799c856e109a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit

  • C:\Users\Admin\AppData\Local\ezggiemkkpcwtifzevqxxzv.bbg
    Filesize

    272B

    MD5

    22d879f07acd62f45ea52ef74112f06d

    SHA1

    755582dddb709ddb81def55b8751a168b41bd050

    SHA256

    e7d54192b288bfac63385b4d7c68f741ed91ff00b8018c734031a227d9ff00e4

    SHA512

    0960c92a97048f76c9becf4b75feeaf1060f34a822bfe08138ec3e09935f32bef44da3afbcb2e623fa8ecf0f49051ff242c2f18962f37fe8be5be05179d493fb

    Download Submit

  • C:\Users\Admin\AppData\Local\rxpanunwhxvaiiqvlntlwjqjsdtrweemrh.phs
    Filesize

    3KB

    MD5

    15c5294371f5e424c939f341e67c6b4c

    SHA1

    77276244bed0293cb6f550fcdc2e587c61dc964d

    SHA256

    bd1f0e35a457847b62a2b74f6bc3b0f8d9ee6fb841a1eb6cfe24e87dbf380347

    SHA512

    30017289c1f5484720ea01b91b226244d83d2223e1f4339af7ddef91deb9094e880a7c344184e607fd72bc1a84b88d0bcf56fb4eecc61d47fd4f22734e65d18d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nnzelm.exe
    Filesize

    29.1MB

    MD5

    0687361c515e8ae08e091aea279794ae

    SHA1

    961bcfa1840a861b81e5607fa46a2c57d60ae520

    SHA256

    ab9ad5cfab813e2bd6fe82db812cbfc0d9ef4ab9601435381237cd5823f3ec5c

    SHA512

    42ae11f444fa7e06e0fc3125570b7929e1b7baa65d6f617735ec5c6f3993f1888625438612c1c63100a504a9a6b13789c59694f9bc601503205df38d8bb4b68f

    Download Submit