Overview

overview

10

Static

static

3

318029a9c9...3f.exe

windows7-x64

10

318029a9c9...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    318029a9c9f9004287add2dd4a5e063f.exe

  • Size

    167KB

  • MD5

    318029a9c9f9004287add2dd4a5e063f

  • SHA1

    73146d10d1b14e9fb66b385111cee23367618182

  • SHA256

    ae2209243e806fc7c1b4d26c8493cd79bc65a68a04fe1219b6c6de9403c731d1

  • SHA512

    26fdd41fdc182fff1898d971484e6eff3ddf10d11ebe152407c2be2051f492fd7a3dc73ad31192e7ca4bdb04a5339e58824562fd040adeb587431f897e7aa96d

  • SSDEEP

    3072:6ndPbCXYwE0qOKvLtTKx4hIOcXGQiHkX55sgDUO0bq:6nhbCIw+OSLtTLIOcXPsUUO3

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:608
  • C:\Users\Admin\AppData\Local\Temp\318029a9c9f9004287add2dd4a5e063f.exe
    "C:\Users\Admin\AppData\Local\Temp\318029a9c9f9004287add2dd4a5e063f.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\update64.exe
      "C:\Users\Admin\AppData\Local\Temp\update64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_unins_update.bat" "
        3⤵
          PID:1184
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat" "
        2⤵
          PID:2872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat
        Filesize

        368B

        MD5

        fae650da5759ce36dad8c7213775354c

        SHA1

        d03ba122a01a297d75571a6119a048a5d492b80d

        SHA256

        3b2798b373c72994b6dd73eb8b1c394e7b70cb20e92c92edced68e285a2200ea

        SHA512

        1b45152c063a2934088465cb4b491b364d2498d2d45b5885ad53643315f28f48a2a22c01737ff1a9cb7104a5f62734023a0d2fa768192a899b2208fc67e8f163

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_unins_update.bat
        Filesize

        191B

        MD5

        edf0ffb7e2a7d2ab23c67221437a908c

        SHA1

        e2734d0bf750a7041dab20a4c40b68b10a77cb2c

        SHA256

        ce868933eba2236799cb2261d6e3995a09646abef296999563e5808142c870d3

        SHA512

        0e2a1fc2f2fe9c22da73b9d63f010072017b2a5bfe4f4af21dac439d2a232904e82cf02b2fe4549ff10b29e9eb64a238b17132574ba6cefc37d81922f26c1c7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\update64.exe
        Filesize

        41KB

        MD5

        de29793e344647dc9961b6be80b2ea8a

        SHA1

        b1a14f0caefd837ab3599ad4000543b6d17b323e

        SHA256

        febc1f759afadf8820a4580259ddda9a1a44213d0d36d660b184449a0a369335

        SHA512

        b6390f5618acdfe2db1b867e115a1140680fe43ff62dbcbd2aef69b26a0d356cf1fa6b2d20e3dc40e7d01ae0a79dcd4f79044a170b1a1b04af678c47c1b84d9b

        Download Submit

      • C:\Windows\SysWOW64\insvc32.exe
        Filesize

        9KB

        MD5

        8219200bed17b14b1887b3e38e8c170e

        SHA1

        6d27a03882b51a86b7209953b6cb10af806422cd

        SHA256

        092f1d112fe7e7e9b4661be993e96a17f8d89efd946900c7046f076c90807e8d

        SHA512

        7c3e1e9626f546ad1fcca44cd7d2bec3ccd846621bb98f8f41fbf36de401d89ba0c6d6aa4290eb1551efe813c181d3406bc4e1be0abf2af5bae074364ce4eba7

        Download Submit

      • C:\Windows\system32\SoAction64.dll
        Filesize

        24KB

        MD5

        13746dbf26d2d41f04466e869d4ca445

        SHA1

        6d764ffa381658dd31a404de6c10962cd51fb560

        SHA256

        9e69bb944de1e95f30ede672e418d6c97970aa97f309089df3a11a7b36e7f683

        SHA512

        0cb15612c6ed719bfb4b3b91d54dd197bf74b5aca6f196a7354808f8562f9802316f9b4b418dc4959531249c7fc11097328f1a386d681356d8ea5e1e34e5c193

        Download Submit