Overview

overview

10

Static

static

7

7bda31d949...3c.exe

windows7-x64

10

7bda31d949...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bda31d949bdc601d8eed73b96a8d63c.exe

  • Size

    342KB

  • MD5

    7bda31d949bdc601d8eed73b96a8d63c

  • SHA1

    834d36b4cd84ae8b8890076001bcc03b738cb7b4

  • SHA256

    5dcf383f864241b061dc3817a08b833657e01fab9f95e6168ebc093bbf032e30

  • SHA512

    ae9c5718b8bf6be6ac4c5df5f03ec47d532f5bba42a115983a2ce240cb48a7898b82bb1e4821c8b2e474f904d75f2293ad5eefc03dd2f780ae222e09752da675

  • SSDEEP

    6144:JdLyECo18b6fobHWTXeIBr3beX5htpHMa95xYDCsUQlKu:JdbI6IHSOYKXXtGa9DAzUQl

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bda31d949bdc601d8eed73b96a8d63c.exe
    "C:\Users\Admin\AppData\Local\Temp\7bda31d949bdc601d8eed73b96a8d63c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Defense Evasion

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5NO18RQU\NewErrorPageTemplate[1]
    Filesize

    1KB

    MD5

    cdf81e591d9cbfb47a7f97a2bcdb70b9

    SHA1

    8f12010dfaacdecad77b70a3e781c707cf328496

    SHA256

    204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

    SHA512

    977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMN2CJMU\dnserrordiagoff[1]
    Filesize

    1KB

    MD5

    47f581b112d58eda23ea8b2e08cf0ff0

    SHA1

    6ec1df5eaec1439573aef0fb96dabfc953305e5b

    SHA256

    b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

    SHA512

    187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YAQV8V65\errorPageStrings[2]
    Filesize

    2KB

    MD5

    e3e4a98353f119b80b323302f26b78fa

    SHA1

    20ee35a370cdd3a8a7d04b506410300fd0a6a864

    SHA256

    9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

    SHA512

    d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YAQV8V65\httpErrorPagesScripts[1]
    Filesize

    8KB

    MD5

    3f57b781cb3ef114dd0b665151571b7b

    SHA1

    ce6a63f996df3a1cccb81720e21204b825e0238c

    SHA256

    46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

    SHA512

    8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\dwlGina3.dll
    Filesize

    93KB

    MD5

    1173123287198dce1eb831f04e28352c

    SHA1

    39d650f4297c990a7ffaa7dc3b6d0ef903c9bd14

    SHA256

    65d4582e135c774d9c827ae08de8b77f199ee934f13d1a0537df4f5d18f590ba

    SHA512

    e9fdb6e808b0f3ed850fb364d48609a9726fd41ad138594fc04f8d48d5672aec3aaa76af236f07c4263c053dc539f99009e74491adb03c885190dcce78f0cede

    Download Submit
  • memory/2964-10-0x00000000003D0000-0x00000000003EC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2964-66-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-0-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-39-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-40-0x00000000003D0000-0x00000000003EC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2964-4-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-5-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-49-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-2-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-1-0x0000000000220000-0x0000000000226000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2964-54-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-56-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-57-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-6-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2964-80-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-90-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-104-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-114-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-128-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-138-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-148-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-162-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-176-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-186-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2964-200-0x0000000000400000-0x00000000004A6000-memory.dmp
    Filesize

    664KB

    Download