Overview

overview

10

Static

static

3

b571cd68c9...71.exe

windows7-x64

10

b571cd68c9...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b571cd68c97f16598cd6a75f9c68e471.exe

  • Size

    644KB

  • MD5

    b571cd68c97f16598cd6a75f9c68e471

  • SHA1

    e9140a31d28af6033dd9e58f73b2e1891dafda6d

  • SHA256

    dc1b07a52af475827944cf1bdd0c8468fe428e5cece300227ca3c54ebc5e3e65

  • SHA512

    3b348101ca228acb557dc851d4192ea71aad03fc50298e494c464148b8a4170724e297381b92d4f1a6f5d2ad1a9712ba4b7175986e4d965bc6ce46e9119ce53b

  • SSDEEP

    12288:PKr3QboC9qLGKgZKe4HYpHvcbTUT+tLEGz//:PQ3QbiGL8LwH18

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b571cd68c97f16598cd6a75f9c68e471.exe
    "C:\Users\Admin\AppData\Local\Temp\b571cd68c97f16598cd6a75f9c68e471.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Local\Temp\gugcvwzjqeq.exe
      "C:\Users\Admin\AppData\Local\Temp\gugcvwzjqeq.exe" "c:\users\admin\appdata\local\temp\b571cd68c97f16598cd6a75f9c68e471.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\vhptahs.exe
        "C:\Users\Admin\AppData\Local\Temp\vhptahs.exe" "-C:\Users\Admin\AppData\Local\Temp\upgtjztiwzsjkiow.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2484
      • C:\Users\Admin\AppData\Local\Temp\vhptahs.exe
        "C:\Users\Admin\AppData\Local\Temp\vhptahs.exe" "-C:\Users\Admin\AppData\Local\Temp\upgtjztiwzsjkiow.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2636
    • C:\Users\Admin\AppData\Local\Temp\gugcvwzjqeq.exe
      "C:\Users\Admin\AppData\Local\Temp\gugcvwzjqeq.exe" "c:\users\admin\appdata\local\temp\b571cd68c97f16598cd6a75f9c68e471.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\oxcdhltwypwbqcwsvenstxbjmo.mrg
    Filesize

    280B

    MD5

    613e9d1d97ecee1a75c1f6a350c21546

    SHA1

    e650308d6586ae5f6404a16147513625c396b118

    SHA256

    ba34e07556af23ac90adc84fa0870f7686e31b9b74ee9209dd1326051712a3a4

    SHA512

    6f5da9176d1e524a6bd4becda64c406842e7bf2f8e23fd4131d8784947aba840c1d16ad4a679b87656bf4a81180f266f7b5ff831f2800c79522d9527edb779cd

    Download Submit

  • C:\Program Files (x86)\oxcdhltwypwbqcwsvenstxbjmo.mrg
    Filesize

    280B

    MD5

    69afc25cd3bb88a12af84b8d9c47cf24

    SHA1

    0f9925e1cbf504ccf82a7e46b30cc229cd8e5ab3

    SHA256

    6d8caff8a35dcc592db25dbbc0184f703cd45052db6e2264d2be48bb5d51c1ae

    SHA512

    c8394b4553073166129cab9d794cfae8286655832af503914ba3d58698fa3b2967c458871c29e0151df38dc2641107b1697661ffc5da8493a0708bb67821eb2c

    Download Submit

  • C:\Program Files (x86)\oxcdhltwypwbqcwsvenstxbjmo.mrg
    Filesize

    280B

    MD5

    0e6c8e7876fa4ee7b00568c2895ed683

    SHA1

    0333108f634e493b5bccdfe00b8e5fd3f698de10

    SHA256

    7298e123ee46568312f8fd43163f8d6f3cfdcdd052b75c598887cc0d0fab88c3

    SHA512

    86aafdbe7403dcbe92444d0590a76e36f84d4b308954b70b1a76134b2bc857ba6efdb80460197bb0ce701ec124ccdafb82ea63f0792bc5897471278bd6a6c9a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bxpdulgwlpjbdcjsi.exe
    Filesize

    443KB

    MD5

    19d7b91cd588ffe6f3641a0efbc749e0

    SHA1

    084400ba5cea6372724a5123369ad9ec70e6dc48

    SHA256

    f09658e48880b0e0ce5e3d923e39d8762b2e7f9b1a1d635d079c67c78973b360

    SHA512

    7fc4d97f21ee4a2aa356e3904a9b34e84f1ac0a7e7e32bcc7142b6db657aaa3615e81fe2d1edf4623be4f6511ba597d9bda7648c38694554b53f4beb6c2ece53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ihctnhfyqxupuwgslkje.exe
    Filesize

    308KB

    MD5

    1ea898a57321190d46469f4b0b51308e

    SHA1

    71141f8773b98db3d1ffbe9c1b34b29f9129e1b0

    SHA256

    6185c634fc69d7243a59553f3f6a3ec3df7d08fca921d802e50cd790f478f8dc

    SHA512

    f114a7bce61686da888fc6fab5c87ea2c15ef953da236151456935a48b3b7bd170cdf64b209bbd21d53072e76bf410ae0a535e29e9b5b97b5983da7b76df6b86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\khaphzvmchcvyygqhe.exe
    Filesize

    448KB

    MD5

    56a2ff5e249d6a33856374836dcc6c52

    SHA1

    9e39b0a4b01a415ca7347aa9663259ff5ed676c9

    SHA256

    17bf80c8af0658a54c4c583fe8724d60b5dcb4c35fdc36615320b42a5cd116ec

    SHA512

    9dad5e00ba4abe11e939ccbacd21d0594d6f884c150f6d3fff48b06024dfb0d8edd684d624bfa4da90f3863fd273591704a8b468111d37843e6193b59991308a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\opmfbxxsmvurycocxyzwpl.exe
    Filesize

    250KB

    MD5

    1730abe19f289f9c22259421dda3c443

    SHA1

    7c2568c79276f4b6e29a1db69fa28027136bcf8c

    SHA256

    8c0c0bbcee98d67c3e0771a875c72f6b21b4286027402af26faa4feefc062639

    SHA512

    4a38de61d97ca0342670b21edad6c711eb7b644b7865b06816e468c3f31e9399f4ea8830d5ab8f7b77705b99c2ba916d54108bb87dc5bb956ef5758538704dea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vtndwpmevbxrvwfqige.exe
    Filesize

    427KB

    MD5

    7f1508d17bac6f0f9a4e28339be4e116

    SHA1

    17c51cbda7ba269bec5113d968b2d677abef7a4d

    SHA256

    f411e23e8aea31d18d9dbdf1b89a41e038406205a9125d9b619ebff82545368a

    SHA512

    fdfa4a2db5e22e13a1cedac1aa765974221798437b81b798f6b80f9bac597c1bfbf72a13f3eeab46cd51bc87893fd9c6b2b626d35500b572bdde348fb4371f2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xxtlgbaunvtpvyjwqqqme.exe
    Filesize

    272KB

    MD5

    9275a504cf85e7c77f66b80813d8116e

    SHA1

    5663b302151d38b565dae4600f73b64978a171a9

    SHA256

    e29b30766ede0ee4445cd51acb092aa7a33426b1956f45ab27f7623ca6e4139c

    SHA512

    3adc8a0593af511decd10f48282e65b4122117036f95b5c500d9b5b43c33063f676be817c580524484096e55ecdd9a11bc353503ce8d61c0f0cf751fc299f7f8

    Download Submit

  • C:\Users\Admin\AppData\Local\oxcdhltwypwbqcwsvenstxbjmo.mrg
    Filesize

    280B

    MD5

    7382d8bcded67e7e76d9c869ebd2d2c4

    SHA1

    f5e4c4d49a19ffa7315428c6c7e388167a9e7623

    SHA256

    44683b782052d980c55dcc12bfc53744e175cac801aa63c26a92111e60b58ee6

    SHA512

    7a8e2bdd0d0774b89ba92ee083f9d3b12284af9260fbac035108a5068ef50f06961e4c9a2a602bda9d92a4abe9831128385540d60f9dff65a27502eab3f80f4a

    Download Submit

  • C:\Users\Admin\AppData\Local\oxcdhltwypwbqcwsvenstxbjmo.mrg
    Filesize

    280B

    MD5

    2688571caa3ef85ade53c0b7deed4ac0

    SHA1

    4b30315e039e25b9e151ba781ef3a2ac4565c4ee

    SHA256

    6cf323f999675a9c173d0a7f192a1ce65983fe97848fe5b6506971f8bdd0368b

    SHA512

    a95f12ec718ace9d93b1bd3e37d020f68f128d11f52f12ca2cf77fdef81e17bec1b510fc100a47007bc589f2547ade881bacd60e64ea44b1ca9887071d5967c2

    Download Submit

  • C:\Users\Admin\AppData\Local\oxcdhltwypwbqcwsvenstxbjmo.mrg
    Filesize

    280B

    MD5

    1288be451686fd77aa54351904a6842a

    SHA1

    eaab7f1c80e54a9d4b49ca577dcde4013cdb6e78

    SHA256

    51133b94ac78c4822e306658fc135c7cbad99514d195d91d5aef69f2e98b21e3

    SHA512

    15cbe397e6fdf2ec7fd968f89ba282121b6fb1db5c0d77107cd2b7aec684740e567c1eb7735ba714a636fb4da7215927beb8025f1aafa0a077f44d684aaba37b

    Download Submit

  • C:\Users\Admin\AppData\Local\pjzlapiwjldttqvcqkeugvkdregyoolqxlfzp.qfy
    Filesize

    4KB

    MD5

    9bac2d5aef9bfff36d4ea2eeea47c6b3

    SHA1

    1b80bd80223d1aab2a31b71e19ddda6ac38f1152

    SHA256

    2212acce6439d50d1a07178b68bdce1d17ac9ecf13409fd1412a4b1b326ae5be

    SHA512

    74d77c5b713fd7ef7627d6d1f79d53438806639a74cdc15b621afb6e51a6fe0b0937d9187e344ed886b01363e725cd9b8e0639b33c7916d3fe2df348ea644cc1

    Download Submit

  • C:\Windows\SysWOW64\khaphzvmchcvyygqhe.exe
    Filesize

    644KB

    MD5

    b571cd68c97f16598cd6a75f9c68e471

    SHA1

    e9140a31d28af6033dd9e58f73b2e1891dafda6d

    SHA256

    dc1b07a52af475827944cf1bdd0c8468fe428e5cece300227ca3c54ebc5e3e65

    SHA512

    3b348101ca228acb557dc851d4192ea71aad03fc50298e494c464148b8a4170724e297381b92d4f1a6f5d2ad1a9712ba4b7175986e4d965bc6ce46e9119ce53b

    Download Submit

  • C:\Windows\bxpdulgwlpjbdcjsi.exe
    Filesize

    256KB

    MD5

    842c85b203e7ab672e286ecc52f76076

    SHA1

    7775c72613f530f6a247f8d0fdac4134e40f2991

    SHA256

    4bebcfc259fc9d0cade01c56aa0f9debd166256140c56e24889fcb751575d0d0

    SHA512

    c4eb7a68f332e746c680229994bb3c57a59ace41b95068223c21074ebfec6e9399e123cf49e8ffe1d9d5023b4cbf806d33d9d6eb7355a13c130fb91bc630896d

    Download Submit

  • C:\Windows\ihctnhfyqxupuwgslkje.exe
    Filesize

    204KB

    MD5

    6e842d944e38b8b8b054e52b2a1c4b3e

    SHA1

    1a1d931500db39db82e87410daaca12f80b1e484

    SHA256

    673d33c0f11a5280a6761aadfaee337ec055f357830d385cba51a38bd40a1a14

    SHA512

    bdb9d9d5a3b5708f1cd892cac3b95801dcc6bb291d83181db53382cd5a76bf1f403cee6a722915a473683214ca04cec932607eed84a87fd49e40669bdb9d983a

    Download Submit

  • C:\Windows\khaphzvmchcvyygqhe.exe
    Filesize

    267KB

    MD5

    2d17aea069b6a964340f0f7c5c8b6552

    SHA1

    ff7c0a4c6bcd05dd75257c61d9978231b2bee872

    SHA256

    c5d83bd4091aeb9b433c0c0c3152cdccb14c2566ca8268847d4db9a7d76cdad9

    SHA512

    06baaa4ad7809628c607a267314993d17348519ec26c203afbe5414dc1aa0f4123d21f9cab6ddba0d3313000173092c3efd94d5134899510f1c2a93fbff504f8

    Download Submit

  • C:\Windows\opmfbxxsmvurycocxyzwpl.exe
    Filesize

    467KB

    MD5

    a6fdf8f567ecc72160c5b3f699ebf34f

    SHA1

    f72446606e4c76da53569a6507fa3e60e3c4141b

    SHA256

    1509b5d75eefe84a32393d763da0ec8f3bca65f8988e6508a6e3aace6e9eeb48

    SHA512

    176ab03ce039cc55f71caf2f8144d94c115c3ee290e37b6c78f3f22ae34bdf992a00e6979dcb76c3d68ed2ce082713e3d1830aa61473b13ed8c791e2d6431b91

    Download Submit

  • C:\Windows\opmfbxxsmvurycocxyzwpl.exe
    Filesize

    300KB

    MD5

    6b8275b01a0e1a0b2e3387d715270eed

    SHA1

    67a9670ba867459fbfac8ccf5d77f26853f61586

    SHA256

    1a650d89830e24b2f99f846c55574c3281853386197c2ab1fb705ee584adc377

    SHA512

    6cddcb060832403dfda6f78fc0066302b9c27338c10a015385130da31b7bbbfecef8c018e9eb973326f029c23633ed8e28aea68ae68941711a78ff627e9b2a59

    Download Submit

  • C:\Windows\upgtjztiwzsjkiow.exe
    Filesize

    320KB

    MD5

    4866c43862059f5987ff89abef36ec0c

    SHA1

    bb432ce3d40065a40c8ded41269ba7232b1e5eae

    SHA256

    97a0ab0792f22efc4eac75ec747ea34b74db4422ebc51a6573a007e774309b48

    SHA512

    d66a159e205e9c0879b60af9481341f18ce8b95445e9f5c6dc0964e98998253407c3edbc1a595c4ffd406f53a85de23297bacf9ab77bbdcd97b0a5a1a691dad8

    Download Submit

  • C:\Windows\vtndwpmevbxrvwfqige.exe
    Filesize

    384KB

    MD5

    3f472e503d6a0df955af258d4f45fb7f

    SHA1

    23c3899e7ea18bfe93a5fc53a4e3086b83831134

    SHA256

    aff3e2ba588d90d5bd97f6960ed7df3d0932b685c58a15ddcb22da2849722734

    SHA512

    bed5b9f60441533092407114577a6a5a49adbe3f5127d0cb209b33e31dddcda2fbb3d9f029c8fa4fbd68c16bc430721c500128c8d91e74127cb276dac5ec7d9f

    Download Submit

  • C:\Windows\xxtlgbaunvtpvyjwqqqme.exe
    Filesize

    310KB

    MD5

    ed53c756ad3974ce991e35aa1e5fde6a

    SHA1

    2da93df2c4f6d755390decbb7f16dad5c7ec6960

    SHA256

    15d79dafc00396f3ad03bdd7c706af66a2d98aa16f14c7fafc549a805332991a

    SHA512

    494c5d2eeccf127d16894f7a0eac30f01ff8dcfa1db53b370bf19aadce9475234861d8f0e0106caf71b2d0518dc33150e1ec32463090acc66178b8c176cf19d8

    Download Submit

  • C:\Windows\xxtlgbaunvtpvyjwqqqme.exe
    Filesize

    319KB

    MD5

    9da792058a33683b8fc4723598ca7ef3

    SHA1

    71358437f44c4ed80a9e2d1e52c5887aa545a60c

    SHA256

    9633e5fb97fd4fdb59ca048a12406d95c8680a887ad1680444541301edbf9f28

    SHA512

    5a78843c2df2c9f82b202df02f4ab7a7d89fe7313d16f0b9443ca510bc678a9416ed6fee1b2f34c5ba577166c3dc4c50f555d23d82b137920f94625d447b81bd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\gugcvwzjqeq.exe
    Filesize

    320KB

    MD5

    4dd2521e06dfa5ab3d122ff9d72ca9f7

    SHA1

    86e1b1b3ce06cd51dd28db1dbaba571c8bc433a8

    SHA256

    b439461ca0a9a58a3d784d31cda91ec7a1e8c5561c4878daaf968f0092b8bef3

    SHA512

    914709ed90f28ddc6115ce2ded4a8b8f531676300402fabc366ece636f4c65961c269196f42dd73f339b5a42b331135eeecbd6cfac63812560fb7739485ac995

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vhptahs.exe
    Filesize

    712KB

    MD5

    48f3ac3a7c0fb727301ae4e39be97d71

    SHA1

    8523a207b728c44ce0b76aa2ebfa67a51b4feccd

    SHA256

    3c377c559eb1628f1a066ed88e5f65fde402498eec154a5e7e55f85f3ef521cb

    SHA512

    e36d5c9a5b46d2017b93065ec3fbb638f3a42166c66bade497ad129b783c68f81c5d674142bd52e235b830616167ed7fa06bfb2329d9ae7fca5c64efb1133640

    Download Submit