Overview

overview

10

Static

static

3

075657e65d...44.exe

windows7-x64

10

075657e65d...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe

  • Size

    9.2MB

  • MD5

    d55b0be7279cf572706d2080a215f44e

  • SHA1

    3e32f7ecb9531d3b91be679d7b3c2adeabd3afb0

  • SHA256

    075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44

  • SHA512

    e15e656a9c5288696cc8f8a58353879cfc5d1b10c683fbdb2b2101830e1b16661ada23b03428db84b2b47d35acc379f5838272088d69aa999505d1fbb4eb6b22

  • SSDEEP

    98304:E+k7QDw+PcYq5LnYvacmm1xAWewWAWUlWJwSb099Pi8bh9x/NvBaudEGst+g2lfE:VktBlNChWX8bp/Bq6YAOjLcTH8kc

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe
    "C:\Users\Admin\AppData\Local\Temp\075657e65d4a6aa13e9c6f758c96c11c18b29f330ee8e30ac3763c47aa1bfa44.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3384
    • C:\ProgramData\rr.exe
      C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"
      2⤵
      • Executes dropped EXE
      PID:3576
    • C:\ProgramData\playtomenu.exe
      C:\ProgramData\playtomenu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4040
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c delself.cmd
      2⤵
        PID:4556

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\playtomenu.exe
      Filesize

      4.1MB

      MD5

      684fdaae316e5f59baa6f69f5bc2526a

      SHA1

      958061cff425622da5bf931f7ffdd22a1f784763

      SHA256

      17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8

      SHA512

      7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1

      Download Submit
    • C:\ProgramData\playtomenu.jpg
      Filesize

      1.7MB

      MD5

      c2348c7e8ac7e2812f7967c126918b90

      SHA1

      626bb46101ccf131d6981f338cd4b4edcf76ca31

      SHA256

      40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f

      SHA512

      74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11

      Download Submit
    • C:\ProgramData\rr.exe
      Filesize

      572KB

      MD5

      f2ae502d448cfb81a5f40a9368d99b1a

      SHA1

      f849be86e9e7ced0acd51a68f92992b8090d08a5

      SHA256

      07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

      SHA512

      9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\delself.cmd
      Filesize

      124B

      MD5

      3f63e6c3289af1d2aeda8834892aef65

      SHA1

      232387cf64358f0ce36b8baf4498674c70dd0067

      SHA256

      ceb47c961c03072b61e2ee0640787bd89483ccfa9691161cc3c200be9f134291

      SHA512

      090c4bd50a68d9bb8f43d5aeb4228b9cf0d2b7467818a16597a8ea0bbdbb0ac0084901ff46f11adecace84a7a2d0899a210b32e1be4f442acb8f314d3e582c65

      Download Submit