Overview

overview

10

Static

static

3

2581a2a35a...a1.exe

windows7-x64

10

2581a2a35a...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe

  • Size

    2.0MB

  • MD5

    9fd909b9252da347edb2c71b1c75dbb9

  • SHA1

    cfbcf7181f4abe9a747aaad432cc32655a1d764e

  • SHA256

    2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1

  • SHA512

    b7b7f1036471d1f24836ca206b44c7cf07d2168e62fab276615a1876f894573eff38544c504ff182f206df8c483c5a30dcf7752bf94babececf6337aa122a0c6

  • SSDEEP

    12288:dTgvmzFHi0mo5aH0qMzd5807FUJV1PJQPDHvd:dTgvOHi0mGaH0qSdPFUJh4V

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
    "C:\Users\Admin\AppData\Local\Temp\2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\pryzjo.exe
      "C:\Users\Admin\AppData\Local\Temp\pryzjo.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3004
    • C:\Users\Admin\AppData\Local\Temp\pryzjo.exe
      "C:\Users\Admin\AppData\Local\Temp\pryzjo.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    5f6a00f418d89712b94a33df1393e8dc

    SHA1

    d309db6432e6ce955182d2b168beda18003e911d

    SHA256

    c7f60dc7c6a8a5a37c5a09ff1fb852ffb75296eb1484ce8a4deebe0052da369c

    SHA512

    cfe4b4d70571be854d687d40051b868b22b054d562c840480ceb5fb8b2a778951503a6963317ee7f9036166f43ccaf839d9de9b468c91aa394a1d88d5d6d7873

    Download Submit

  • C:\Program Files (x86)\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    175970d5fd26ae32d79ac91172ef563e

    SHA1

    047f66914ae29a8449d8238db454bd11e1dbb2e0

    SHA256

    29037d81ad3411ed9d05a7360b5695b4c6006eefe50fd00891e1886b0dc23577

    SHA512

    8b5538fdbcc24c61ca26a6cea1f627061ab054e2d78fbfb1c724764402fba40b4006952f0c8c114aeef3a9510912897ac25064b98fde07fda8bc49163485738a

    Download Submit

  • C:\Program Files (x86)\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    ddaec7b076a37d2a2f582dabf973f5eb

    SHA1

    5a6eb8690476c5cd46b79a09383dd43988ca3664

    SHA256

    e8df0b0a5fed31a42f75a9a2cc44ed6cce4445325b5599715722a1b37807dbc0

    SHA512

    a8b01a5b32ae6ec9d172e220c1a17afa58f6405c4c1d2a426958bef985c953516cf3370212b78f8a898bcc4d03cc09c409c372296d46e77dfb7987e89d083b4a

    Download Submit

  • C:\Program Files (x86)\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    9b265e577d2b34c0823649486c8cec3d

    SHA1

    fed7d103af758a8148e5dc80ee69cc1ae114622a

    SHA256

    bb36bcc0d89a9c1508b7cbd056007a0408fb938f3a088807963f83acb16b2811

    SHA512

    da6a0692a253146d112409db23d11c172321abdaded86edf5b8fba508c75973165d6d5d204fc4117fc03d0e784e5816b5ec0d34cb138e6b32ac7ae0447dea8f2

    Download Submit

  • C:\Program Files (x86)\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    e26d3be020655e28c1c3dee628ca3c79

    SHA1

    ec452c4f6498501a46b397630d491f44e573a578

    SHA256

    ac9477d3bfeb8085cd8ad6b9ca0e837f45f6879590ac153cca2425fc26a699ce

    SHA512

    0815c18e1e28b1f887cf1824d079f05971ea8daa92b1ef9bcc0b7db7b02cb39520f22317bbec35d091feb52044ad14be3fbdaa10544a92089eab758b7b114fb3

    Download Submit

  • C:\Program Files (x86)\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    32e1b70a0d85602f185883d2877b76f3

    SHA1

    364e029f6b8e69a1ca85c7a4aa38200523219b16

    SHA256

    22c3d9bdf309c736f260088e4c1a75dee887a0651850dc9bd446cba49c70739e

    SHA512

    66f48a66a402a040d8703abd53495192db59517862708442fb9bfa38d7c84b53d97ed1c5d10d0d0d292718078976609cdb96a9b47c7b832ed7947fffe1df413c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit

  • C:\Users\Admin\AppData\Local\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    d9d25dbe9d2ef0660e6d53573bb90002

    SHA1

    fbb8c9ff8f70847fb6b3337e96cf737dbd9e05c4

    SHA256

    a3c0b9c3f3ce569b545e30656302317635de1627262d64ff4bf012b964bad8d9

    SHA512

    b1bdef6990f2d9b915bf3214248a2d4541e607af608451b487f080bb297819a85202095cec6a1a3ac69b6b243bce6608a25c379846118c4331a27495d457db0e

    Download Submit

  • C:\Users\Admin\AppData\Local\onrpwyafeirzedrshwqptryac.gkt
    Filesize

    280B

    MD5

    4827e810843ab5b3f37557f9b7551e6a

    SHA1

    764e877d9fd9e693fdee43bebe9c6e6889a34366

    SHA256

    687f491a6963f0063e2b3a77efe8f3efc59fb4380151d4a5268816263536bdcc

    SHA512

    154071130b9de7a04d4b7c8a7f9d0eecb7e71a84eb701f0e620ce25bb80beddf55c356aacefdd1fb68aebe3a062e4d426e15a00c1ca3dba75fe0156d8789dcf3

    Download Submit

  • C:\Users\Admin\AppData\Local\tdsbtgtjticvlvuggglvktlylblaundnmyyy.ncl
    Filesize

    4KB

    MD5

    b381f4eda058fc49bdef251a0100d8cb

    SHA1

    7e3f5b526248c0e6a392744edc62c5b3599e6481

    SHA256

    f2e305bfc9afca6b0d09a2471f7acf5ec99095559f2e8dfd03d06d2bf1bb9e10

    SHA512

    fbac5c47e8448751dcf5cbc8cdbe15b82d73674bf7041ebcb09e52a5b0dd46cd76d8f92d58518f83d7c00fc64ae4bf7121a5b2c6a55587305d1a78c78a642a09

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pryzjo.exe
    Filesize

    3.0MB

    MD5

    0ed4e06e4261f37df3dfd9ff2a33f966

    SHA1

    a3070cec09d1ddaf17fd9cd42ca3cc19b43cfbda

    SHA256

    ed0c585185ee383201b1f467234b8ae40ba253d44b78d47d288042dda6420420

    SHA512

    64f88d1abee79e744ae9e5934e8483179bcfffd0c53f02c1baae8027035ec8c1d7636820ca231efd0d07443fea768fbba0431a7ceb5626aba8751f4b900d1aa8

    Download Submit