b111ebeea6ee904a67982e7fca339c8017482b555e1819a7eddf00a88b9da4ae

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76718972a1c9983da79829d936ae4652.exe
Size

585KB
MD5

76718972a1c9983da79829d936ae4652
SHA1

2bcea2922323b2012c40978402e9f3fb3fe9fdb2
SHA256

b111ebeea6ee904a67982e7fca339c8017482b555e1819a7eddf00a88b9da4ae
SHA512

acfd2f095283be9999a9325de132fef59d5982ea6a55a1ca9affa0d32070e73962077779cb489b467505f3763db28cd2ee9ba9dd6767a26cd312448c3f11af76
SSDEEP

12288:8TiHFgvJN0bbqMffOzZYpfKPh9KVc1BvpWusp9UIWFaOWQ/yird:CiSvJKfOVWGK+PvpWuiWIpO

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s"	76718972a1c9983da79829d936ae4652.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76718972a1c9983da79829d936ae4652.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1548-0-0x0000000000400000-0x0000000000634000-memory.dmp	upx
behavioral1/memory/1548-3-0x0000000000400000-0x0000000000634000-memory.dmp	upx
behavioral1/memory/1548-4-0x0000000000400000-0x0000000000634000-memory.dmp	upx
behavioral1/memory/1548-5-0x0000000000400000-0x0000000000634000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76718972a1c9983da79829d936ae4652.exe

C:\Users\Admin\AppData\Local\Temp\76718972a1c9983da79829d936ae4652.exe
"C:\Users\Admin\AppData\Local\Temp\76718972a1c9983da79829d936ae4652.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- System policy modification
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-0-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/1548-3-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/1548-4-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/1548-5-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads