056eb01dd6d14a7e854929238c5a2f3b8d820e9c2c5f645daf3dce0e74151961

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4eeebf264c527caf596739bcabfe5453.exe
Size

63KB
MD5

4eeebf264c527caf596739bcabfe5453
SHA1

50c96adabb41fd24dacafdbbc3523a72ccdb51ed
SHA256

056eb01dd6d14a7e854929238c5a2f3b8d820e9c2c5f645daf3dce0e74151961
SHA512

c630caa2a1b302874449bc77320f4c35148a015686fcabf3b431158637966cd9530b1625f015935ef610894e0656d92db1e0538f21782c484bf08885e2bdbca3
SSDEEP

1536:vEhPplFTvjHf8ZePZhTJ4p4JHris3rNh4RWWRcgIvMoWN:vSPplFTrUSJ4eLis3rNh4RWzghN

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\uyobtr.sys	4eeebf264c527caf596739bcabfe5453.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dkrfiz\Parameters\ServiceDll = "%SystemRoot%\\System32\\uyobtr.dll"	4eeebf264c527caf596739bcabfe5453.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\dkrfiz\Parameters\ServiceDll = "%SystemRoot%\\System32\\uyobtr.dll"	4eeebf264c527caf596739bcabfe5453.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\dkrfiz\Parameters\ServiceDll = "%SystemRoot%\\System32\\uyobtr.dll"	4eeebf264c527caf596739bcabfe5453.exe

Deletes itself 1 IoCs

pid	Process
2168	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	4eeebf264c527caf596739bcabfe5453.exe
2168	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\000549b0.ini	4eeebf264c527caf596739bcabfe5453.exe
File created	C:\Windows\SysWOW64\uyobtr.dll	4eeebf264c527caf596739bcabfe5453.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe

C:\Users\Admin\AppData\Local\Temp\4eeebf264c527caf596739bcabfe5453.exe
"C:\Users\Admin\AppData\Local\Temp\4eeebf264c527caf596739bcabfe5453.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:2040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dkrfiz
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\uyobtr.dll

Filesize
32KB

MD5
28ee35b621f4d7071f829770351325fa

SHA1
fb3c36a815c014044a665902be765e1fd4c9982a

SHA256
da95a1aa77b701d452f4254f5b9e8ea5d850f90bac47799016165e4214c4fd73

SHA512
fcf9c1ff371eaafe513d837f94db900b8199ddce83de7074c96831dc9f39572dd03f45b9456fa21e9f59fccb7f2975da8517b8e69018a3be84686d74e5b947c9

Download Submit
\Windows\SysWOW64\uyobtr.dll

Filesize
33KB

MD5
fece63103232d922be5f19cbc2d94f97

SHA1
2882ee5e5192c544a2fbe951bb08703fc4ecf6a3

SHA256
da34e3555deb148f4670082969595533c7902be3f7cf2723ff8a48e228ebe22b

SHA512
a7e6927e4090adac36366765569b42d14c975e9ec11653edb5e7a8e1f18829f1edcdd87d70c284bc82a3c08d3dd2c573e0b855025b3fb5689734691bd0f11acd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads