Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 04:05

General

  • Target

    d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac.exe

  • Size

    73KB

  • MD5

    9fdedc26a459559813da9708a67a67d2

  • SHA1

    384a6098d0fc88462828660efe73fdfa6af50f33

  • SHA256

    d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac

  • SHA512

    d1f402438b2cdf9e1fd82a59f5b03272acde2c78c40a704e90107982e898f620d66eced5028d53e35fac93161922844f507c7a0900fa4c786bcc971e2e68ddcf

  • SSDEEP

    768:x/nQODtOgZwPeS2oyrw0U/Q7/PM8ee+YLVrvgA4R+Fy0u4ETZC6oLclNLqEntgtt:xo62PVOUY7/2efJDtuZ86LNtG5Mip/

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3316
        • C:\Users\Admin\AppData\Local\Temp\d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac.exe
          "C:\Users\Admin\AppData\Local\Temp\d1111a5279e29e5dd55baaee3c766d86c7f560f8873f124bc1cfcfe3f0aeacac.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4048
          • C:\Windows\SysWOW64\alponuv-idid.exe
            "C:\Windows\SysWOW64\alponuv-idid.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Windows\SysWOW64\alponuv-idid.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\adberob-ecum.exe

        Filesize

        73KB

        MD5

        34447aa56a526617604d60be3ab10a71

        SHA1

        15ea4394db748f41b1a9f0f14f751154e3f42a33

        SHA256

        4000739dff7160d33878e68ed86f0a62d378227ee6808ed6ebb21ae2da96657c

        SHA512

        464c2f12d0ee1afa15241b27d5e2564dcb89e4d8f334e3b3a341aa6e2ec02d30db0e1311cffd8840771cd1dedfd1fdf53901d30870bb0866cb440b5cffcddd5f

      • C:\Windows\SysWOW64\alponuv-idid.exe

        Filesize

        71KB

        MD5

        958447be18cad6ab706beccbcac3c73d

        SHA1

        40c28166e023723370a9bf116119c092f92bdd84

        SHA256

        d91aa0d4b40163b9c81d3d41a3e5f58a18466d44fe90ce77f68e34a87e62ec1f

        SHA512

        be4845844cd5600747aba5525425b1d21df25f09cd5efbf36c5e3f2ffcbc8bf398561db59be89226cb3c0a22d94edac9f7b824dfaccf9257dff3d7b66a825fc2

      • C:\Windows\SysWOW64\ohcegis-fat.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\uctoarer-edur.exe

        Filesize

        74KB

        MD5

        25715476b69d2cf805b28e0928b73c45

        SHA1

        026a188b007dfd12a914267b092d34a40b0a4318

        SHA256

        e44526af97fc8ecfbc7268167b1810040f88020f1777cb86a355d1b415443dbb

        SHA512

        85e37a5fea7491a0fa6bfaf9d6703ac5a5102657b28bf5d545b7e1ab25cff4f4b4f6da0cbaea4da7d58d9bb6dbab6c78997272b9b3b4d2cb950e02b9170eb633

      • memory/1304-47-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/3612-48-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4048-3-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB