Overview

overview

10

Static

static

3

6026f25d21...2a.exe

windows7-x64

10

6026f25d21...2a.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    3s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 08:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6026f25d2195decd2904223e7118712a.exe

  • Size

    636KB

  • MD5

    6026f25d2195decd2904223e7118712a

  • SHA1

    a9f965661b3e3fca899b33a036832ebe2e5dfa8d

  • SHA256

    6e0bea15ef642c0cbcea5b487d7a5402d00592232bb14f6c5ba5273478ae002a

  • SHA512

    b41efc5bd80b9f0506087fd2894b76751e186e529fa7ae53c7cacd63b3a9c6b5561b687affea7a40050b896725acc8e18558452f753274be7d95d0aec43f5ebd

  • SSDEEP

    6144:9j6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionXdbV:F6onxOp8FySpE5zvIdtU+YmefZ3MMq

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6026f25d2195decd2904223e7118712a.exe
    "C:\Users\Admin\AppData\Local\Temp\6026f25d2195decd2904223e7118712a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\stgbncxvcdq.exe
      "C:\Users\Admin\AppData\Local\Temp\stgbncxvcdq.exe" "c:\users\admin\appdata\local\temp\6026f25d2195decd2904223e7118712a.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2660
      • C:\Users\Admin\AppData\Local\Temp\xehoago.exe
        "C:\Users\Admin\AppData\Local\Temp\xehoago.exe" "-C:\Users\Admin\AppData\Local\Temp\wmyojypaylrjjauu.exe"
        3⤵
          PID:2112
        • C:\Users\Admin\AppData\Local\Temp\xehoago.exe
          "C:\Users\Admin\AppData\Local\Temp\xehoago.exe" "-C:\Users\Admin\AppData\Local\Temp\wmyojypaylrjjauu.exe"
          3⤵
            PID:1616
        • C:\Users\Admin\AppData\Local\Temp\stgbncxvcdq.exe
          "C:\Users\Admin\AppData\Local\Temp\stgbncxvcdq.exe" "c:\users\admin\appdata\local\temp\6026f25d2195decd2904223e7118712a.exe"
          2⤵
            PID:1608

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\bavuywwqxtijssveqkjed.ffz
                Filesize

                272B

                MD5

                858480f673fb1c7f4fa559530a2a523c

                SHA1

                111d28222976ada2bee3475b53de330ef4eec98f

                SHA256

                97636751a1956784fc2d0054996d538dd7a0d134d3610ed8bb28c6f70f0a158c

                SHA512

                30f58c87aa7f94659be11f34acabe2aefb1558f230ed7eadac2b82f41d894f0c7e808737aef0edd767bfd36cdd529c49071d4ce22f9c7470555bdc9648f97c8a

                Download Submit

              • C:\Program Files (x86)\bavuywwqxtijssveqkjed.ffz
                Filesize

                272B

                MD5

                f043882df775ed27a348d2b1aa5a745d

                SHA1

                08d676ea061bc26c7458ec8ef2d72556e279b90f

                SHA256

                427c60f096feb5fc10a96b62865656fa5f5a9314c0a76bea58de6a95d9507115

                SHA512

                511dc88caa9233c4930b415a926837bfe694c743a66e8e9d21a9ce86d8729b1d60bc875b96f7e8db27d65bd96fc108aebffc97f9c045776cbf8c9f42e8906302

                Download Submit

              • C:\Users\Admin\AppData\Local\bavuywwqxtijssveqkjed.ffz
                Filesize

                272B

                MD5

                56abbf8356f9fcc1d92422968813cc09

                SHA1

                1e70a2165047d2ac3d94d860bdcf4bd6d7184f16

                SHA256

                24ba9930855aa5aeb452a275252c91a99eed535e0079d650dabb8b0555f8b39b

                SHA512

                de388b1e8dc0d424bc6e2fcd35e9f047a1a7fbe159a8a799bef25ff16f2c0aa3822631ef24c24364e7a481921ce972abf468b389e786a3b20aeb87fb273da758

                Download Submit

              • C:\Windows\duhyukconbibcupqu.exe
                Filesize

                93KB

                MD5

                42493f0711e785a297d50b2ede088cbb

                SHA1

                1d21e01647fac52364edbcf794e4f7c611b7ed79

                SHA256

                f5a1f7d4d1554c99b9c606de31e787725ea395a87584fb424326bac8a71d15e9

                SHA512

                e1807427fa9c3e1a983bbb7075cc0da32437157d08f7066dbe8f22cbdbb395b27a212b031c6353a127d649a11eeea954227d4f5811fcf557fdad6410bdcfcb1f

                Download Submit

              • C:\Windows\wmyojypaylrjjauu.exe
                Filesize

                636KB

                MD5

                6026f25d2195decd2904223e7118712a

                SHA1

                a9f965661b3e3fca899b33a036832ebe2e5dfa8d

                SHA256

                6e0bea15ef642c0cbcea5b487d7a5402d00592232bb14f6c5ba5273478ae002a

                SHA512

                b41efc5bd80b9f0506087fd2894b76751e186e529fa7ae53c7cacd63b3a9c6b5561b687affea7a40050b896725acc8e18558452f753274be7d95d0aec43f5ebd

                Download Submit

              • C:\wgmwlufkcj.bat
                Filesize

                504KB

                MD5

                527de2ea70ee27294ab45fbb0d27c19a

                SHA1

                66763cbabfb2e8fd96749194fd428aa2e92035d0

                SHA256

                c98230c21e5fff3dadbd92e2e85d8f71fb3fca112a7d8272bc456dc054dd9053

                SHA512

                4feb9ccd2bb353e0bded03795abe839bfa588f765170eeada57cdccad16ab14db35e48a6c26deca3623e5cd80c9348b462a9be26ec30751411dde52dc310bbc2

                Download Submit

              • \Users\Admin\AppData\Local\Temp\stgbncxvcdq.exe
                Filesize

                320KB

                MD5

                5203b6ea0901877fbf2d8d6f6d8d338e

                SHA1

                c803e92561921b38abe13239c1fd85605b570936

                SHA256

                0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

                SHA512

                d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

                Download Submit

              • \Users\Admin\AppData\Local\Temp\xehoago.exe
                Filesize

                92KB

                MD5

                b3b1ef7f8a9a637bae1b18f8cb39a0d1

                SHA1

                f8c4dd9b877779fd564ace2d024439f3f9198c3f

                SHA256

                7501946d8add43f265aa9b3a3c7ece10ef1bcdbeb9274938247770f040b9b1bb

                SHA512

                710d74a658fecb73b9fafd7642381f9bf20799a976dedcf7d541fd1c88eee2e2bd9ab0c72cc04274adda5b81e9d739942521f4407506e47a5b5d7014f88902be

                Download Submit