Overview

overview

10

Static

static

3

d4aed79dde...37.exe

windows7-x64

10

d4aed79dde...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 03:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37.exe

  • Size

    5.9MB

  • MD5

    a0fa87eb1932bed5a9c9d3688705e0b9

  • SHA1

    63b7118221989b4c9c8b599d130cd69edc20b202

  • SHA256

    d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37

  • SHA512

    85a84e59ad3a125854413770bb36659e9253250cf41f797bf82a73bf8ad6229cc838cbe4687973d36eab26e3a4afbedf03d17fad0cccca378ba0411f4985690a

  • SSDEEP

    6144:f3ue8ySm8hQAAIfFrRXuEE+0l97mKwKQXqHVv86JQPDHDdx/Qtqa:9/zkFF+EExZmKbyuVvPJQPDHvd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37.exe
    "C:\Users\Admin\AppData\Local\Temp\d4aed79ddef563c220244e18d78ef02001992d155fd4a9ffd390c1b79243ab37.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\uflreho.exe
      "C:\Users\Admin\AppData\Local\Temp\uflreho.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:4572
    • C:\Users\Admin\AppData\Local\Temp\uflreho.exe
      "C:\Users\Admin\AppData\Local\Temp\uflreho.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:1468
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\uflreho.exe
      Filesize

      7.7MB

      MD5

      268199728a4aa6b596f40f162b3afdcd

      SHA1

      5240fee86e4f232e98ff7829b755f770288348de

      SHA256

      a0bcbaa337f8d6ba570b2214611398678fce1a724fd71a628a9d703c13cc291a

      SHA512

      b6cf1f1a2849a2959b324fb410f0c4dc61504409a569c62d3472c25a5d0b7b702ba1ce9c1bd5d8a1369bb24018d642fe34908c7c12a68908ae2b3e441c45f87f

      Download Submit

    • C:\Users\Admin\AppData\Local\odnxovgqfjkpduzoxoetdnelwgvzaftkp.neu
      Filesize

      3KB

      MD5

      ba7a3e3ff4873733e4505676eeaa845b

      SHA1

      741590d88ea5d850dd9cada06c8fc0990eea2a41

      SHA256

      72a08489b35f6c68e0d5d793f1ec86ec6fb932d52c9eacffb8335e25284e6784

      SHA512

      1c7b25f01e0fc3b6d76320c39b4209e00cbf1b397644b5c03d856fdb9c3609476b5a82abcd8f847eb842e6d1ceb64309b3ad1aef0e588db3de7f4016787c4546

      Download Submit

    • C:\Users\Admin\AppData\Local\xbazfbbaexnhkqkomsxbaz.bba
      Filesize

      272B

      MD5

      46597347aebac97771df74788b2d50e0

      SHA1

      b6a35886d04814adc42c93c47d7dc607e2a6248b

      SHA256

      610f57a16b5c9ddd1ca3db993d389630f845eb2909336108805c3d92de112d14

      SHA512

      7abbd22c914d0e80f63a535a67390d886b37ac954961557fdce9e4034480dc97c744afe2e60dc111c33e5bb2da4f1fcbf3d189bd5d3659a911c3d7989a0465dd

      Download Submit