Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 19:58

General

  • Target

    253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe

  • Size

    4.2MB

  • MD5

    873c6264052761245df6b117738ac825

  • SHA1

    855b7550370d5e7ae1e530d1b99cd1103fc0b626

  • SHA256

    253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5

  • SHA512

    9a8de1df29aa30f86f1b7bd6026b861749828c36c44023ee2ae8d3e5d53ca4561a7d45df34e39caf2deb729698f90bd80f29abc814f33aedb13a4fae7491f698

  • SSDEEP

    6144:8cFvrd1rWkNYiclkBw1x42dy8r1YA+ycK23+86JQPDHDdx/QtqV:d1dCicWy1xFc8r1N+ZKlPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 25 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
    "C:\Users\Admin\AppData\Local\Temp\253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2968
    • C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe
      "C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe
      "C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    4ba85756236a411e765c0159c9351d48

    SHA1

    2af4e914d9b5ae2755330b6d135bd8776d75ca60

    SHA256

    df827ebecdbf93a077af2156357bffd43038ea1883c3c5bbb52c3af88b3e6f65

    SHA512

    e6237eb22608fd21a42587b6a80d9e9aff8d3d2acb28aefc5d1ca1ea4429616219f9399a164d71a47659c6b0ab4fd1e57cc3b423eeccf8681a985a36508df42d

  • C:\Program Files (x86)\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    f0e98b662c760458ac957087cad1a0d1

    SHA1

    bda6cdfd9f3c3e950a708b9d9fe15d54ecdaffab

    SHA256

    abf222a1d2be2887424e064de7a615bc75a76154c5f1b0db8f530ee40cf9c779

    SHA512

    82a3addd50e75ddd2ef338761095d9d7e5ccc48a6b5b8da052b468b97e780d1b81701f41364566e727d9dbe2975346b00e9f6ad70313d105b5abdc7779cc7404

  • C:\Program Files (x86)\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    cdaa6f80007bb11f3a3665d92101b135

    SHA1

    11a56c3977e87497302a5a289a477c37e95162e4

    SHA256

    f6a5a10357da02520b6915bcf21d7704c224f8e9fdbd176764e4058fd5d9edae

    SHA512

    925815be6a9f9f2c3a7209dc3c917b7cd7f7d7e583d4479f18a8e3e3735704c098fcf8e430f53278899c288a55cfe78a043f193ff4e1bd436d3b3165850c548e

  • C:\Program Files (x86)\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    eec0702a86217bd88a202ddc60edabab

    SHA1

    d6a95fd44cfbeaff38db4258460d49359dc865a0

    SHA256

    dae8d7e5e01fdac51331f9bba21362b403617331bc89b8ded25965966e95ae1a

    SHA512

    bb514772cc84ee2dcebee60d6b5e8a9348acce6ac2b6baf7cddb34ad6a8217b2a2f7906a03a4c15f9d0add6fb4180e3a298890d0de366ba8742f16593de70578

  • C:\Program Files (x86)\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    f189b81991f0fdc1138e639d7a387011

    SHA1

    093eb2cdc7b835b8bd98e3e790cef6184790fdc5

    SHA256

    3adb10de9a10448f66424523170607653de1f2f1db2fe59b3eb06439946f9242

    SHA512

    bf1b496210607ee9c8200c144d598aaf1392a90df25298827e6a4c239064e3f89e0db6a60037f980255695942417ed2ff42305ac9d0f199252c69148872fad90

  • C:\Program Files (x86)\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    ff695c6fa2bb0c2e1798dfb96a472dd3

    SHA1

    44c9404f2539bf5ac298c96f6299b5b19e84898a

    SHA256

    5021a3ac7268a4eabab145d018ba27ae8c2e91cbd5f53f6f19737044c88ad4e8

    SHA512

    3c8a328934a5da6a2a18d64e0caf862a60f5d6c04b36ae009f59eab08070527706087e064ca332773fb70c11bffd685f4a146bc9edb0e260ec4742bdf3e18098

  • C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    3.8MB

    MD5

    53bc02e08dc02aa4bf5009cd25c80846

    SHA1

    dd3b03ea7558bdecff3e7d214c36823bdf90f83b

    SHA256

    1ff803c1dbe16ca9ed1afa750a6650ad0ccafeacd212cdbc592469cbaf52e268

    SHA512

    4048967837e2afea1c335fb395a943b8ec1ce283673661bc9bd5b534b203e9307eb26c07eb85bc58c98405c7e0e2a20fa68ae72c013f842404f50875a2636cfb

  • C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    2.8MB

    MD5

    9489e78012363ae8a3feee0732645f7b

    SHA1

    a6475c94d7f025efcd94cf5944b4533065a52cb4

    SHA256

    00349641ef3b6a9a90d94e937e3056ca1ae1424ba414c8a5cf3b9ba7d705fee5

    SHA512

    0f2bc00f5547a0a9fd5dba5571befe225ee7312c7a2474c0401e711622c0feb61cdda130d941ed0937c94c880f76191e4d9a797867f5ec4611a8364d03e19e43

  • C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    4.3MB

    MD5

    10eb260777374b9ce0853ec1c67f6c6b

    SHA1

    0fefae6c0416adcc4fcd10ce034bbb6babeb8c8a

    SHA256

    621b21a564d0f85268fb4411ad33881adad81778fcba5bf3128dc5a8252e6b3b

    SHA512

    bf70d5d89f4ffffa3f84393a5ea6f6afcf345a4a3173376ae2d0a8d1fded0009241ad34bebc57d2d00c828d6a1bbc7f6116b8c0c53c91271617f858f93be6987

  • C:\Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    5.6MB

    MD5

    8d07ca20b33712553a17d1326feebba1

    SHA1

    78582cfdb8b4ef35a040b6b503cb595aff1ea0c3

    SHA256

    46aa329e8426afde3ea77f9aecc1f8e81709d754cb6650622001a5106002bd53

    SHA512

    53e73e700b527ebfa22d206514884310bf22269df3735ab15636562bd90aba20a09770eaff3b844c4375b925893cfa105e3a276db92138efcbc2150c47f53fb9

  • C:\Users\Admin\AppData\Local\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    190f1657704e31935ea46b946667ea32

    SHA1

    c30f27f0daff659c432e85b4e60f839d660d17d8

    SHA256

    62ce47a6f71cb60a45ad664af01665c0a64c80ab11fb77d50ffbc51b8650be86

    SHA512

    103b5ab8ba285ce27d3540b660ce6166a4f05f447de217c202ffcc49617fd1dc151ea0d02b502b153814b2bac839845db26f61297429a91875c83daa3d024d7a

  • C:\Users\Admin\AppData\Local\cdbefdezcygoeotspfcdbe.dez

    Filesize

    260B

    MD5

    2ab1b9645d58969d5c422135c073b970

    SHA1

    49f03731e4980b40641b75fc6852e2a3ede1bbeb

    SHA256

    a941b0b3ff3b9768a501833951047e63b93b2e5a7c4a18f85b9f30206a2cd749

    SHA512

    caa04902c797dc0e356b321fef5e8b6491eee36c08a4954fbfce1f5785bb39f00e54724d54bcdef74289da44b217139aa31a91448c1acf899a90f45167cf7e55

  • C:\Users\Admin\AppData\Local\tfocoxjpdkdwxsisabjvesenzftatmniy.qrz

    Filesize

    3KB

    MD5

    4999554b7a46a543cfcaef84aa9b4f2b

    SHA1

    27166e25ec7856866d67ec78e2497c716d1dcb2c

    SHA256

    b13b0f17446d5a545f26df48d30d93cac22451a216e8a0a8fbd8a63ee062a706

    SHA512

    3b2e2e1a8737f09399c20ef578b56c5da6da2150506e73ff33332ff3ddbf2db01e25be7d76c9515fb87ad60f2e18a515ed94cafecac86673eda7e93c92939367

  • \Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    5.4MB

    MD5

    52d7327468e3b1f365aca5a2f5f4adff

    SHA1

    991be703a50c180e334764fdce60c379daf2cc1b

    SHA256

    f03e20d9741f397bcf691ff72955a322cea3ae3a7d11d33be47cf5bf97c76b01

    SHA512

    6d5c429dffcef6c894e0d15b42065dd888d90aacf210c98a250716407f98b24ee2504b02be440dcfc3c82d8236135e40e2fe014140c71886dabaf3ca841e872f

  • \Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    4.9MB

    MD5

    f9491f31dd61061837569959647dc907

    SHA1

    77eeaade28cc49ba331e9dcd3962a1d14f288d5f

    SHA256

    3e64178db2572cf903d78f3daa10872ff49df064f6c63736caea2e003240db47

    SHA512

    9259f13af8ea93f410efed3622c5a026a1641c14db2838b1e2ceb8f90e2a598aac1ea3167eae35d4130f82ed1ff83e8fa34e05f44c656e24918f2e0c2128a11b

  • \Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    3.9MB

    MD5

    6a0ad15f158fece35691994f6b75e173

    SHA1

    e9b6d50b0c8452b0b424826fb1b2faa1f6a8401a

    SHA256

    0c79701e7198cb8a0cd52c9bc8be71975fc37bb780208bc49be58b7de45e0a3e

    SHA512

    a1301a9705b4a6566081532374b137bde442f4295c4bb4990329d54292f78953d102b3edf2eafbce9e3df48461f1dc32dd0edcb06735f179e6e8e7d74006d927

  • \Users\Admin\AppData\Local\Temp\zhmwejr.exe

    Filesize

    3.5MB

    MD5

    a176ce4abbfabea8825d7497a69c5de8

    SHA1

    b684045774d006247ce42ae32781f9dc66d36405

    SHA256

    ca597169239106f0d55099eba53087d110688e878f7b2361b1851a066ac8b686

    SHA512

    041968ef64810b711ba9069cda6175492b71d8051d07d756b29e3da150a91ab2e5f22bcfdf9c6d350e5dd632bd5005f91186a634aa48cc6702e82159d689ffe1