6494d4601f8295ce192b823b2b3dd0bfbb8c414dcc63cd59b16d0012bf4630ed

General

Target

c85f79e3fe3ac30b84152bd6931c9b0e.exe
Size

85KB
MD5

c85f79e3fe3ac30b84152bd6931c9b0e
SHA1

4abfa836b6e74202060bc65c41e1d40b279d0777
SHA256

6494d4601f8295ce192b823b2b3dd0bfbb8c414dcc63cd59b16d0012bf4630ed
SHA512

73b40b55529b993b2b7bb688bd39337e781302450e153813fe28f1a37327d56c8fab6508f7ab3d6f65ba09d2718deecca73389bf940f7f4b685e8e5b1ab55bce
SSDEEP

1536:CyMClXdmNwdyHAd1y9Lm0Uz74VK26KEf95qbOf:1MCxdmNbADM60OUVRHE2m

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c85f79e3fe3ac30b84152bd6931c9b0e.exe

Deletes itself 1 IoCs

pid	Process
1748	rundll32.exe

Loads dropped DLL 7 IoCs

pid	Process
2040	rundll32.exe
4628	rundll32.exe
1748	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
2040	rundll32.exe
2040	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd028.ocx	c85f79e3fe3ac30b84152bd6931c9b0e.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\whh35018.ocx	c85f79e3fe3ac30b84152bd6931c9b0e.exe
File opened for modification	C:\Program Files\Common Files\whh35018.ocx	c85f79e3fe3ac30b84152bd6931c9b0e.exe
File created	C:\Program Files\Common Files\0E5766D8ce.dll	c85f79e3fe3ac30b84152bd6931c9b0e.exe
File opened for modification	C:\Program Files\Common Files\0E5766D8ce.dll	c85f79e3fe3ac30b84152bd6931c9b0e.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2040	rundll32.exe
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2040	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 4628	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	87
PID 2092 wrote to memory of 4628	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	87
PID 2092 wrote to memory of 4628	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	87
PID 2092 wrote to memory of 2040	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	88
PID 2092 wrote to memory of 2040	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	88
PID 2092 wrote to memory of 2040	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	88
PID 2092 wrote to memory of 1748	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	89
PID 2092 wrote to memory of 1748	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	89
PID 2092 wrote to memory of 1748	2092	c85f79e3fe3ac30b84152bd6931c9b0e.exe	89

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c85f79e3fe3ac30b84152bd6931c9b0e.exe

C:\Users\Admin\AppData\Local\Temp\c85f79e3fe3ac30b84152bd6931c9b0e.exe
"C:\Users\Admin\AppData\Local\Temp\c85f79e3fe3ac30b84152bd6931c9b0e.exe"
1⤵
- UAC bypass
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd028.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:4628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0E5766D8ce.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh35018.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\c85f79e3fe3ac30b84152bd6931c9b0e.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\0E5766D8ce.dll

Filesize
10KB

MD5
f1f49fb85ab029ad86c02ebecb892b12

SHA1
664a602f8e843218c1158571714cd0adee1da939

SHA256
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13

SHA512
600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673

Download Submit
C:\Program Files\Common Files\whh35018.ocx

Filesize
55KB

MD5
ec8f806d39f35dcebf7fe3260e1c3a46

SHA1
fc882094d1a85869114a0b98f523a827cedea029

SHA256
111c41829c388f780384d234469e326524fc30b740a540adcc3d9a1867fd71e8

SHA512
4efd16e91a9ddc927d2ee16df6b6c484d28d56bce27342f5e6dddfe7777d742fc51d91f3cc9edd20b55bf0d5ff493b6924705787ea6911faad093ff5386a5ba7

Download Submit
C:\Windows\SysWOW64\whhfd028.ocx

Filesize
14KB

MD5
90eb3aa19541b367388fd5f79ae5d36c

SHA1
7b80f7ea7a2dfe4baf43d1940e6f5f29af544427

SHA256
9a3ad8dbda43a10f7856a0c22a8bdeab6d20cc5f81f72b08a182ae794c2b21da

SHA512
748b0366ea4f33e8f1776404c3bf1abf6d7b685edc8ae8d5cd199225d87a0f81cea47218280421b9cf2356a9fbc3ac80a9279f5d4e584575a138b0063e450b47

Download Submit
memory/1748-21-0x0000000010000000-0x0000000010213000-memory.dmp

Filesize
2.1MB

Download
memory/2040-20-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2040-19-0x0000000002990000-0x0000000002BA3000-memory.dmp

Filesize
2.1MB

Download
memory/2040-23-0x0000000002990000-0x0000000002BA3000-memory.dmp

Filesize
2.1MB

Download
memory/2092-0-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2092-7-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/4628-16-0x0000000002050000-0x0000000002263000-memory.dmp

Filesize
2.1MB

Download
memory/4628-22-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/4628-24-0x0000000002050000-0x0000000002263000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads