Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 04:05

General

  • Target

    d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac.exe

  • Size

    73KB

  • MD5

    9fdedc26a459559813da9708a67a67d2

  • SHA1

    384a6098d0fc88462828660efe73fdfa6af50f33

  • SHA256

    d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac

  • SHA512

    d1f402438b2cdf9e1fd82a59f5b03272acde2c78c40a704e90107982e898f620d66eced5028d53e35fac93161922844f507c7a0900fa4c786bcc971e2e68ddcf

  • SSDEEP

    768:x/nQODtOgZwPeS2oyrw0U/Q7/PM8ee+YLVrvgA4R+Fy0u4ETZC6oLclNLqEntgtt:xo62PVOUY7/2efJDtuZ86LNtG5Mip/

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1072
        • C:\Users\Admin\AppData\Local\Temp\d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac.exe
          "C:\Users\Admin\AppData\Local\Temp\d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Windows\SysWOW64\alponuv-idid.exe
            "C:\Windows\SysWOW64\alponuv-idid.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:300
            • C:\Windows\SysWOW64\alponuv-idid.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\adberob-ecum.exe

        Filesize

        73KB

        MD5

        6a855b0589a940f967ffe5ece7cbe9b5

        SHA1

        8be134aeaf257598964f888cfa7a83fed799c9a1

        SHA256

        c422f71e89e9316f4726b39c6901e2fcc79b1f769b19b0c0cee5a3db13e5eee7

        SHA512

        dbc55809d211b7351ac73a716f66e99fe6d962cd23875debcb3a4575907d408366085a582867af4a824d1882dd64316d151fbbc37c46f3d2a0c4d1320c87b420

      • C:\Windows\SysWOW64\ohcegis-fat.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\uctoarer-edur.exe

        Filesize

        74KB

        MD5

        e51de5b598cba09f434c69f5ad996a5a

        SHA1

        4f62e0ae3f047e7e77ac6b3b2d6bd37f779effe3

        SHA256

        52ba1523099f614fff0e5867e18f780bb1f7c3640cbeef98648e5faeb1b70cdf

        SHA512

        a10a3d02472aa36ec6c23ef49d0b89e734c1ad09cde84b67cadde8f7af9954634e3e17d2f7d84a17a6edf5b07c7ea2044a4a78ea016d9f7abdb5027364fa6626

      • \Windows\SysWOW64\alponuv-idid.exe

        Filesize

        71KB

        MD5

        958447be18cad6ab706beccbcac3c73d

        SHA1

        40c28166e023723370a9bf116119c092f92bdd84

        SHA256

        d91aa0d4b40163b9c81d3d41a3e5f58a18466d44fe90ce77f68e34a87e62ec1f

        SHA512

        be4845844cd5600747aba5525425b1d21df25f09cd5efbf36c5e3f2ffcbc8bf398561db59be89226cb3c0a22d94edac9f7b824dfaccf9257dff3d7b66a825fc2

      • memory/300-53-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/1728-7-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/2528-54-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB