Overview

overview

10

Static

static

3

1930fe7ebb...50.exe

windows7-x64

10

1930fe7ebb...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 19:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1930fe7ebb2c3455eefed7928cf70bb4c421894cd0cf05ccd1df44b9f57c9b50.exe

  • Size

    4.2MB

  • MD5

    6a5ef94c6ee6b0a6308014c12bb0a163

  • SHA1

    70877f371e82ca531fc43fee50d295d046d92740

  • SHA256

    1930fe7ebb2c3455eefed7928cf70bb4c421894cd0cf05ccd1df44b9f57c9b50

  • SHA512

    ad8ee3c015beca73bbb3b975d7caebe71fcababc76a41a3a1a8b058071e2525c96773dc913205feaf54fe5e4aa609f53638d65aae4acc9c7bd5b245c98cf8dc5

  • SSDEEP

    6144:73ue8ySm8hQAAIfFrRXuEE+0l97mKwKTZZJZNxOT2mzcVeqHV986JQPDHDdx/Qtf:R/zkFF+EExZmKbiuV9PJQPDHvd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 25 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1930fe7ebb2c3455eefed7928cf70bb4c421894cd0cf05ccd1df44b9f57c9b50.exe
    "C:\Users\Admin\AppData\Local\Temp\1930fe7ebb2c3455eefed7928cf70bb4c421894cd0cf05ccd1df44b9f57c9b50.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2652
    • C:\Users\Admin\AppData\Local\Temp\muygfo.exe
      "C:\Users\Admin\AppData\Local\Temp\muygfo.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2548
    • C:\Users\Admin\AppData\Local\Temp\muygfo.exe
      "C:\Users\Admin\AppData\Local\Temp\muygfo.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2624

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          ed513df880e7ad979315d4d348869d61

          SHA1

          261d64460fae4731a4042db88e7b899d67aa6fad

          SHA256

          0fd00826dd8949a4af4b36e80cd89abaaece88af62acb6953e93e131ba520e3d

          SHA512

          e758471b54f947a69566e2cc6185b4e3fe5f3aeb3f81606ed52c47f51510f20bc68ca019005ce72d0b106ae5b75ba06e87ae95b07d7e325c4a008f368e95dc7c

          Download Submit

        • C:\Program Files (x86)\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          f33431dc5a1be1e89d853df5b446a350

          SHA1

          791f1a53f741c426284d1c250194fc4871cc43a4

          SHA256

          4eefb838c1b6ffb97616f8206179d4984b1e10a809397e98124a7e38f0eb8124

          SHA512

          539f10c3acd132f0196c1ea2f95df6736474ca36699c0aa11c702a660c912ebf375ff0c89a4aac6f268c3f9cf9bd696232bf779406da6d84e66dc159f0734117

          Download Submit

        • C:\Program Files (x86)\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          41e2e98082371853f099ff8d4b1efedd

          SHA1

          eff00fd06483a60e26353533039ec3e5c6ae5e5f

          SHA256

          c2eb24e6d3c15ecb867bc3df986fc680b5f4cc2d1e20f8c5496254808801ff7a

          SHA512

          0c5e577c1f459881c24c25b4d2aced4cede80971be982cdbd1dd75a66737cef0cb781d9533f9d5a17c78d130207259848275cbd045286ff43699180a5491141e

          Download Submit

        • C:\Program Files (x86)\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          e851765e5cd2bb26e06a3e14069a0985

          SHA1

          a2869020ead46295e9f4021743729ff43837c9be

          SHA256

          9bd337d4252847f43634def8f3eee22e45328ec4af3fd9287b5c1a74e99fe117

          SHA512

          85d8380288b1af3c63f36e708002328ed022ad1e5d1d6abe2b38def1876d8009775412354d191317f2d3b63b82a9789793acbff65c1dcfa8e06e8caa07e877c2

          Download Submit

        • C:\Program Files (x86)\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          e5164bd11a43a94d42842006fa7f3d57

          SHA1

          98a9578330f53ad1ee2891a237f603b508865581

          SHA256

          d937c11762c7cbeed46708453c575ee07acdbb0e2335b61428799f9475347947

          SHA512

          9b90d946bd366703c3a39e8692181fbcc5f5f5523ab5a3b8536966cd573d8c3dbc5272030dc5522a9317070c219891bbf9a48608605f00705734a034ed336d42

          Download Submit

        • C:\Program Files (x86)\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          b7f5541c3ff9579e061d4ce3b4653138

          SHA1

          9e824f3f1658fa0ab8354b28bfcb6353dbed79c2

          SHA256

          334177a520d1ab1fa9ca05da7d9b91f17fe51fef66a45c79ed7acb34dc145945

          SHA512

          a0495806539dad29f6a186b948534a957e748fefd25d476b22d862dab1387cb941bd367fa2395f9ae201edf72a9c88961c20f8e57393848767be49b73898e90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit

        • C:\Users\Admin\AppData\Local\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          c8ed563b54cc7f3a5420f2671388bf44

          SHA1

          64175c75492449b293ecd431b3ed208889284d53

          SHA256

          c9cc400490fe5e15d478efd517aa65e23910792854816f7886d0728260a02476

          SHA512

          d67aa109baa27190a4b3332a5ae543df6e36f4e169341101ab16c1ac33a0a928693d7649578cc0d6c4e5080409151d0e170a3646f01197bab19de281ecd4ad23

          Download Submit

        • C:\Users\Admin\AppData\Local\bilsqycnmxomnghfoipszxfjute.tun
          Filesize

          272B

          MD5

          74176e5a80ad61ed0992708f9ad29866

          SHA1

          d2aafde4fcee288f383338df74534224c1fb10d1

          SHA256

          6602082a01f6e5c0dd869289725870517482e97635a4d9cf7ddf1dd0319c177f

          SHA512

          d7d7e5a36834eff669b179f16eff5e63e0c98b6981f039b15fccf8f4db4e688645cd1c9e26703346157dd3c48b9e15ad9723f6b921b640fbbe2524ae20e3c1ab

          Download Submit

        • C:\Users\Admin\AppData\Local\yqewfynjtpramqclfkcqirkzvfbdmycoxrwocu.wlh
          Filesize

          3KB

          MD5

          30ab220519221f3e0dacb9fda81961ad

          SHA1

          85cb723c132fd1297c571539ec9b17cb2ddd4191

          SHA256

          d2509cc380b6a33834409a681f185adaf894798158a7efa8937f8c8d13800c8c

          SHA512

          4cc3099426bee10f3cc30d2c762ec7d0a3e9d1329279b422045cd79fab67704ecb559881fdae4777390c62c113dbeff04d9aee7f50ba5f21ba1fc94d2ed0c51f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit

        • \Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit

        • \Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit

        • \Users\Admin\AppData\Local\Temp\muygfo.exe
          Filesize

          5.7MB

          MD5

          d45aea54d1975079a4c11facc8607433

          SHA1

          7b250bea9c83ffee375535e30cfb1326192a3f38

          SHA256

          daa3fc3979b4ea6a1f6054bd66bf35afc0848736933ff7d3e7bfbce2478ac660

          SHA512

          6c359c3778706a53ee1cf2c2d8d1a5e53546a9e520e357e1b5bb2193ec8ce3cd04f6e67c7cc1223f1345a732eb4e00cadd51272c5304c7b0fe77ca8da3c17813

          Download Submit