Overview

overview

10

Static

static

3

53c5e8dd4a...17.exe

windows7-x64

10

53c5e8dd4a...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53c5e8dd4a49773f95c6b60d4dd7e0ef9f066be6a3146f961c59e16b59c60217.exe

  • Size

    24KB

  • MD5

    021feaa6171ab07bc0ed1e098382c800

  • SHA1

    bd7bdf1b497f0e5bba520f3898c2fdc3edcec1f5

  • SHA256

    53c5e8dd4a49773f95c6b60d4dd7e0ef9f066be6a3146f961c59e16b59c60217

  • SHA512

    be1afee36378daee17ba2681d5dbb7a279c6a9e06486d6175479d0e91b68a9796780fcbf8e4a1e3c1589b10c8ca8b5228638baae6142903ad8b1912912c987e2

  • SSDEEP

    768:jIUWqeC/juNK4QPv71sL83w/0nIqM0ejXIt:jxKNK4271syw/g

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1204
        • C:\Users\Admin\AppData\Local\Temp\53c5e8dd4a49773f95c6b60d4dd7e0ef9f066be6a3146f961c59e16b59c60217.exe
          "C:\Users\Admin\AppData\Local\Temp\53c5e8dd4a49773f95c6b60d4dd7e0ef9f066be6a3146f961c59e16b59c60217.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\SysWOW64\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        24KB

        MD5

        06efe054636a82e1e7a9d69f5d307706

        SHA1

        c2a0d2591d9ff9b67ce3e19372a83d8082b85cc5

        SHA256

        1d255de92b1e5266a2ef741619824d08baa519a17f0e1ca1cddad10021890630

        SHA512

        150b7502b30eef7534586fcf55dc0a678884b25ecf20c64b0aa5a39f931a980ba9d830844c2a166a315ae15d9fbd28d5c8e7b567a4417678160ca8aebca784db

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        25KB

        MD5

        b3fd9a0447f7580e1e4c4cfb57992c83

        SHA1

        86506f7d47bd012dc37aa1ee3896a11bcb128782

        SHA256

        11cf1acd7b33825039029b742cb3ad2cb25bdef3c08674b07d7d674fbe1f95f7

        SHA512

        3ac7ab681e009a750a04d9c261ed50792782200a20234d394a43c545dd2ed016caacad1d9e9a3e709e2a5d6b6c4ab956b32c9f44714b6536e8ec97fd9429dfb0

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        b10b13206b0f2cf3968050072f6979bf

        SHA1

        699db21ba9cecf3f13ac3d76e22cfa41aa94da80

        SHA256

        0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4

        SHA512

        d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        22KB

        MD5

        c46ec2273a24210e8fdae87474f7fd99

        SHA1

        4d2115eedd04e1ecc48d3d59427c834716947f44

        SHA256

        495e114955e1db035bc4ca05e76acc4a19331abb2e751388c91cd086a5f9a1ad

        SHA512

        72eea4e531f00409cec80fd40c0dba0d3f03eafc03a61839e5a52d4fea48af9af8c1d9d4dd7e63d3681563e8de4cd248ca2d234e6d4036e4a3bb396e9535a33e

        Download Submit

      • memory/1812-2-0x0000000000020000-0x0000000000031000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1812-8-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2520-22-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3048-10-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3048-56-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download