Overview

overview

10

Static

static

3

2af85a983a...30.exe

windows7-x64

10

2af85a983a...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 17:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2af85a983a5616dc5a66857f9a065c30.exe

  • Size

    43KB

  • MD5

    2af85a983a5616dc5a66857f9a065c30

  • SHA1

    f9835cff947f20568d40a0d48e36b2605083c0b2

  • SHA256

    6afe9d118ecf546c583a6fc7672251aeede85e54791022e48c6a7a6ec0d16247

  • SHA512

    1f1a9cd0f1bf6419a2b8c1e71e6ea44c77d1625a4222e694c9308f20d7467228b866fe936fd312f00bd692ca61802e64625d49d5e6aae99f15550578c78de2bb

  • SSDEEP

    768:WAUJmQCcmLCXQq6fsKiJYsIkjJVzqsVG5kuGVAQvRRf:RUNHFKQbIkHvGkAm

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Users\Admin\AppData\Local\Temp\2af85a983a5616dc5a66857f9a065c30.exe
      "C:\Users\Admin\AppData\Local\Temp\2af85a983a5616dc5a66857f9a065c30.exe"
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\SysWOW64\rmass.exe
        "C:\Windows\system32\rmass.exe"
        2⤵
        • Windows security bypass
        • Drops file in Drivers directory
        • Modifies Installed Components in the registry
        • Sets file execution options in registry
        • Executes dropped EXE
        • Windows security modification
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2036
    • C:\Windows\SysWOW64\rmass.exe
      --k33p
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3204
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3444

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\RECOVER32.DLL
              Filesize

              5KB

              MD5

              2b2c28a7a01f9584fe220ef84003427f

              SHA1

              5fc023df0b5064045eb8de7f2dbe26f07f6fec70

              SHA256

              9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

              SHA512

              39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

              Download Submit

            • C:\Windows\SysWOW64\ahuy.exe
              Filesize

              45KB

              MD5

              5b292a2811ae6e7e4e855e62ee10c325

              SHA1

              72f2c1816a5f5bb1ed1e3590b9df2009ccf9f03a

              SHA256

              0ce45bfa8b3620e0440cf600a0eda7366d91d544b1b4bc0f7ce303d8cf1a5950

              SHA512

              7f567325f75ed07f0f51943edc0c419c798a037f422cf604f6c988cc7c2baeedbffed524a682011a4d3bf3cd63e13c83248b45ea5946629a4601d1f0bd777f12

              Download Submit

            • C:\Windows\SysWOW64\ntdbg.exe
              Filesize

              46KB

              MD5

              9a3e56872346fa588b96fac0691554b9

              SHA1

              133c145d77f752ddcfc392a08abbfdfc18826453

              SHA256

              9865c96e1aa43b0e3ddf03a9dd0e91b943201802ad51fbfd84ab97f48c711e31

              SHA512

              4e4ae9368cacdf3ca76157e8c27af36945682a29dafa5760cdfa271739e2fe0e94d8c6052c04aa51f11ea3b7beba76762f12eeefa80bb23e75912e3575e4957c

              Download Submit

            • C:\Windows\SysWOW64\rmass.exe
              Filesize

              43KB

              MD5

              2af85a983a5616dc5a66857f9a065c30

              SHA1

              f9835cff947f20568d40a0d48e36b2605083c0b2

              SHA256

              6afe9d118ecf546c583a6fc7672251aeede85e54791022e48c6a7a6ec0d16247

              SHA512

              1f1a9cd0f1bf6419a2b8c1e71e6ea44c77d1625a4222e694c9308f20d7467228b866fe936fd312f00bd692ca61802e64625d49d5e6aae99f15550578c78de2bb

              Download Submit

            • memory/3200-6-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download