Overview

overview

10

Static

static

3

6bda5cd4cc...ba.exe

windows7-x64

10

6bda5cd4cc...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    202s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2023 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe

  • Size

    3.2MB

  • MD5

    0743446261cd62ae7d2045f0afe83720

  • SHA1

    445af0099c6c494da6d901fd5d0ef11d5a9d2fdd

  • SHA256

    6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba

  • SHA512

    b790d765eb5257302854ec3d1be5a5c6080d550a8a0c3980cdf96a18b1496b6512e191b212b73bd318d009b25bb8032ee4bbe1f0bf47560c48b61971c56a52d2

  • SSDEEP

    6144:n3ue8ySm8hQAAIfFrRXuEE+0l97mKwKUoqHVbV86JQPDHDdx/Qtqa:V/zkFF+EExZmKbUouV5PJQPDHvd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
    "C:\Users\Admin\AppData\Local\Temp\6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\xehqt.exe
      "C:\Users\Admin\AppData\Local\Temp\xehqt.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2660
    • C:\Users\Admin\AppData\Local\Temp\xehqt.exe
      "C:\Users\Admin\AppData\Local\Temp\xehqt.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ouwegnqqzfvsskkhpekmuwdggp.lii
    Filesize

    272B

    MD5

    3b2cd4eeb17a67b7c974daa365ecfb42

    SHA1

    5de0fcdd341d65ca4050acb09c6152e013c8b15b

    SHA256

    bc54a34c7118d8d0b29151631736a057408aea99a4732539fbeeeb8fa4938cd0

    SHA512

    847321d0f60ee1ce277369176a09a3f191e15723802cb4056af74ae29a5432670299b1bf5b2920c49c01b16dc780cdedfa3aa5b65919a367e550bbd6eb88c833

    Download Submit

  • C:\Program Files (x86)\ouwegnqqzfvsskkhpekmuwdggp.lii
    Filesize

    272B

    MD5

    2b3283148af3a81ec0622a29547bf747

    SHA1

    a2dcba53fbccaae9a438302e60e4dae492e188c3

    SHA256

    347477200c80da84cb0f7f090a9191ee4978e72d3e2f6d8b63a357a3480afe63

    SHA512

    d582018977bbe65a6547564ce60057993c0c9c8dbb0d931be6f59aff0a90a38d8c629deec417aee2683ba2c8ad4e1c13bf2a1e13d95ba11a01c779a85ff3e3c4

    Download Submit

  • C:\Program Files (x86)\ouwegnqqzfvsskkhpekmuwdggp.lii
    Filesize

    272B

    MD5

    a49acffbf1fdeb0aa3cbc0a2be49a29b

    SHA1

    1c0f813ab8eec5dd7c183ebd2f32a321a17268cd

    SHA256

    27d9b2cc5587b81c5f5d73432b980f7c7f51f8dba6cf4bf05f0fcbd9cd817a83

    SHA512

    e5f78ce6532ca692263335db9ec86794feaa0b3b64f6725055b27824cb14da38fa42e330ec0a4c2ff95b45d8c7915abcd9f18dc3cd4666bd0bc443120eb04e6b

    Download Submit

  • C:\Program Files (x86)\ouwegnqqzfvsskkhpekmuwdggp.lii
    Filesize

    272B

    MD5

    951ec5dbc6fb97bcf1bd95afff25c877

    SHA1

    c8e1eefde6252af296753f7f88e170ace75cc751

    SHA256

    d33e10f9d5cc28fe292c09a1680e631da32336bfdb8987bc555bdde467ff605d

    SHA512

    8f6aed2263c0c83d319040b40b88ecafa70739af765092543cc26238dffc0922634e8841d2ff995184c43156d01b383d5c4319125b91919c27f5068bb6214783

    Download Submit

  • C:\Program Files (x86)\ouwegnqqzfvsskkhpekmuwdggp.lii
    Filesize

    272B

    MD5

    64702a94e020767b0edd4210460313fa

    SHA1

    a1b3ea45328354ad29b221331e88d615e97f74d8

    SHA256

    5dacee852f313114f6d2ebb39d2014611dfd8d97bbe389a2eaf499eebf16eb0d

    SHA512

    d82f27aba4cc250cf5ffb2ce62b75764a1bbf4750a4bdecbad2e5ec096a1ca3fd125f66335bf367cca1e9f6a9ca4ecc50edd0f113d212c6c3ddc852d847635a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit

  • C:\Users\Admin\AppData\Local\ouwegnqqzfvsskkhpekmuwdggp.lii
    Filesize

    272B

    MD5

    a050fca533828b172473356868646959

    SHA1

    0200afd8a95340e4d348978dc6e0492f169f6509

    SHA256

    71e61de10118c7ad08665efdebafb44592f4a22b8e7562a44f08ed6a07f9aaa7

    SHA512

    2339b80cfc7995347af71e7ca27fa6b588b27890c6b8554d8230bd165cee22c515f88ecb1faa3b21c3a9e0a08cbfc0be82b6fa045147fa8beab0da1f2deb2392

    Download Submit

  • C:\Users\Admin\AppData\Local\pgtmzrfqkbckvyjrkkbohumalfwxfqtemffwj.phv
    Filesize

    3KB

    MD5

    56f80f0ec81c3fd1493fd4d1f2465488

    SHA1

    1453641315ebe8ea0cb7a4e18568d153668addee

    SHA256

    1c3ad6d81fbfc6cb785b26cf7fec47de2549ffdaf5064cae667e9362dbc3e93d

    SHA512

    e46a9cc915f2c9a153aa7baec8d384ef30760de5a8b72464d9101341af6c839bcb35b27039e7998d8ae423a29ee51858b825044c336ff5c927f81a574d60d273

    Download Submit

  • \Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\xehqt.exe
    Filesize

    4.4MB

    MD5

    601b27c2caa10de3cde8dc8a5350ef88

    SHA1

    916e36cc718531cffd65b30345ae9da4a854d611

    SHA256

    4339a5666446e62212b9b3f6f181fe21c9507d0cc3d00c96e38f29c5dc678718

    SHA512

    7061081f589d014760270ae2ddc6c3d522a6268440306cc6741fae381786fdd0952b5e857869d2da8e1394272459701cb841d497d57dbde97dddffd2d705a6a3

    Download Submit