Overview

overview

10

Static

static

3

d4aed79dde...37.exe

windows7-x64

10

d4aed79dde...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 03:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37.exe

  • Size

    5.9MB

  • MD5

    a0fa87eb1932bed5a9c9d3688705e0b9

  • SHA1

    63b7118221989b4c9c8b599d130cd69edc20b202

  • SHA256

    d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37

  • SHA512

    85a84e59ad3a125854413770bb36659e9253250cf41f797bf82a73bf8ad6229cc838cbe4687973d36eab26e3a4afbedf03d17fad0cccca378ba0411f4985690a

  • SSDEEP

    6144:f3ue8ySm8hQAAIfFrRXuEE+0l97mKwKQXqHVv86JQPDHDdx/Qtqa:9/zkFF+EExZmKbyuVvPJQPDHvd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37.exe
    "C:\Users\Admin\AppData\Local\Temp\d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\yahscfk.exe
      "C:\Users\Admin\AppData\Local\Temp\yahscfk.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2920
    • C:\Users\Admin\AppData\Local\Temp\yahscfk.exe
      "C:\Users\Admin\AppData\Local\Temp\yahscfk.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    2dba2a9ac456f3c1daa81c4dbdc988b1

    SHA1

    218ac8a91557eb28723fa05b38bf9e0e92c5d490

    SHA256

    3bd3db10ee2ab02b615817b561bbed5ba5c836d51c4ea4827057900370ed4135

    SHA512

    2b2d35394fd79523fafb40a52f8e3e656967b594b55464796a4c2a7f2afa849afb94e5ee2ee188ab9ebe2a25ab107d51852be4479f9252ce3c9666e345bf00ed

    Download Submit

  • C:\Program Files (x86)\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    31fe9b84e11aa4e119a9f395b174ea74

    SHA1

    2d5e9b1b201502d4a2aee29d17980a9a6be628da

    SHA256

    78f90117dc69ad8a4f4183062dc55fb3ea13c024c6d3fb79af6d35eb6b4f9f2c

    SHA512

    664c9ce3b449771a92a7b6ca79bcc50aee13f968dcd8ae58ac648393b9acd1edc2dd51b5005af16b7da920f4dfea88d03e09ab3518e3c285c4b85fc2b3253999

    Download Submit

  • C:\Program Files (x86)\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    70644156916e60677f24abc5486efc07

    SHA1

    75c34fb6e70e3d65f9b792a1482e2f67a2629685

    SHA256

    cd7de487a048ecb8be21c7d054f2d20939095907693fc4e9e90ffa1802b0012e

    SHA512

    945ed490690acf0ed764cb059a468d49b1941afd131b2a706ef0f8f7c62dafb93722b604fb8b81a93831ecc45568a248071aa7e78a57bc0e6db574b90889fa5d

    Download Submit

  • C:\Program Files (x86)\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    c9482244df4d2259174621a4819d6b96

    SHA1

    0282bb58eaa808fe7e9c2fc4a62d39e207215c6d

    SHA256

    04154bf4c02e441794cf57ee15fab107ec83d243bf05d4f6e902999601eeceac

    SHA512

    f76728d37f3006009825e438c194567aff3b545f65d999e0dddfb0e816dd463b11f9f23d0974b3d721d6b48d31360435c8115f20302255ebb3bb2978d4dfcb2d

    Download Submit

  • C:\Program Files (x86)\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    87f1caf16187aece956ba5e79876e2bf

    SHA1

    5dc2d581a198262e84bd7bad565c69bcfff89d73

    SHA256

    5b46a1f51a749cdbaa3887a9ce299a283e6ac60ca4d044ac4bcaa2d006002dc3

    SHA512

    91cf304d2faa50bf72c6cc99d9d1ab07686afa54d4dd248abf0fde3cd1ec0c37961df448ce997f858c0d64718cf54f4b4a399cce5f4cab1d525e29fdee5d961c

    Download Submit

  • C:\Program Files (x86)\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    5983e5b116f5c6880c0519e8ccc3d9f3

    SHA1

    45ae265df21689f73b337fe5e1f9f563f44d63f8

    SHA256

    5ac077c2a996635058237d7b2f58edd99d06fd3d3046cdd3ca974bdc3b176dd5

    SHA512

    6caaba6df54d8baf95681a9bfe1f37f86169c229c2f172d321cb6455e383f589b965b03f8873afbc60aaeefcbd3590540da624ddc55305809aa3f2c767f2ec35

    Download Submit

  • C:\Users\Admin\AppData\Local\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    35fcca6431a86f94e89610b0986689de

    SHA1

    2742a9a2a07531e581189569b547797a8f5c2617

    SHA256

    1c37a1508da0394b9f4ee6043ecd52cc90e2f3a02c84aa55e65c55617705625c

    SHA512

    5b5a96eefb590e432856d1e5e21bf90304d59d9acdb8302fe380eaafec348fb1dea293a30e9849f4037a9b627e91e84eea97c5cd4632133be2317937349468ea

    Download Submit

  • C:\Users\Admin\AppData\Local\cyzeifeefkvgzjovmguqrwa.wwx
    Filesize

    272B

    MD5

    73a40e9609cc66eb30ffa3b7ba2244e6

    SHA1

    1b6aa0c461d9dc61b3e25ef0205ab496ac2e2c99

    SHA256

    4f6eb0f22d80b337255ca6053a4c24f48b0f566ec3ce454380cebc38dd251c50

    SHA512

    9187001d7dddef4e4eb5f2d832d7f1c8b308a45000be0b56aa19bc33961aa01f783f752ceccbb2aa58a08199e30f964097b0af7b194493d818ee5e713c25fc01

    Download Submit

  • C:\Users\Admin\AppData\Local\pwiynvfqcsokojzrtyxeqgvdnykawswrhz.gfm
    Filesize

    3KB

    MD5

    f2a1eb69fd78a3b82e0240ca27b0fa14

    SHA1

    f290a241d777a00f4e13d188305bac4b7cdccfd8

    SHA256

    27fe36306e13064d71f22fdcb3b468f28449029262c99241538191cf5b238f63

    SHA512

    8635812942039b415b2ab2cb5cc34bce4b543e0ce5f883e4d33298e79b4b20b6bec35bd5d3b8cb5cf3fb9b71c1f5b20d2bd277d6e5de83acae67cf026ec5f9b8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\yahscfk.exe
    Filesize

    7.7MB

    MD5

    298c6369fccfb12dfdb180e0e7477ab5

    SHA1

    13d5504bd2f2b7ce3f3132ef7dc7b68c681a7b5b

    SHA256

    f8fcc3c71a5dcd3fab0e3135aa55be3dfe96893b6edd36ed7693c360fca4f103

    SHA512

    f94f4944e1b47f41a2c7fef5075b5c172cf11056482d376deb8f02de1bff8277089f63e41c20123c614ec7c222d44ab7622369a51f333e5a4a8e39a0462fd753

    Download Submit