Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 04:35

General

  • Target

    d653fac296997214eb2b59e5077fbe5c414e3bfd3c66dfbfee378ad2f3c75d86.exe

  • Size

    73KB

  • MD5

    ac28c2506b65cb361235bbd865300468

  • SHA1

    7a3c782663b61a4d42101df0dec0191e1f51001d

  • SHA256

    d653fac296997214eb2b59e5077fbe5c414e3bfd3c66dfbfee378ad2f3c75d86

  • SHA512

    75a980250886065070a1b8b8d07a7f18cec0f3d1f0df760a75b3edad83d00005f005ee09b1cb42f634c4be2ae40c66d41947c67d5e59edef6b236804a9bc8aa3

  • SSDEEP

    1536:xU9NVM6oqQg9lOkOYmxCibH6n2VY7WMezC:e9NVDvlOrjxH6IYKMem

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:632
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3268
        • C:\Users\Admin\AppData\Local\Temp\d653fac296997214eb2b59e5077fbe5c414e3bfd3c66dfbfee378ad2f3c75d86.exe
          "C:\Users\Admin\AppData\Local\Temp\d653fac296997214eb2b59e5077fbe5c414e3bfd3c66dfbfee378ad2f3c75d86.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\WINDOWS\SysWOW64\etcucos.exe
            "C:\WINDOWS\SysWOW64\etcucos.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4048
            • C:\WINDOWS\SysWOW64\etcucos.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4752
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1516 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2492

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\etcucos.exe

          Filesize

          71KB

          MD5

          714728387675b76543e187d1d6863940

          SHA1

          80096027d69a6f2abad63ed3ce81b4d35f2eb1bb

          SHA256

          2ce3773113d1a8b9341e16590c83dc96128727c38d45880de7b98112d6204e63

          SHA512

          fd7972c99d901d8e340b9896807036fb6014fc80851307c777467ffdf05ed967a02b675e421ac3c0aed846fa92a703321c7acf7a8db959541c9195a1f96d0206

        • C:\Windows\SysWOW64\oukroocoos.dll

          Filesize

          5KB

          MD5

          f37b21c00fd81bd93c89ce741a88f183

          SHA1

          b2796500597c68e2f5638e1101b46eaf32676c1c

          SHA256

          76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

          SHA512

          252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        • C:\Windows\SysWOW64\oxteatut.exe

          Filesize

          74KB

          MD5

          203e5c0356a7a6a76a78ee4c286b9967

          SHA1

          8c319b3982f44e7bb98ba52f4a3839c689d995a2

          SHA256

          1d85f3bcf5476a1d51980635663c0b418d5db3604b57da9be65ebd63ad336b92

          SHA512

          102b065ca758ad09f287360c7c34b1e4eabaa419a7325e15f80bc93efd9ccf51c052f1f5cc582f57c5a7d2b482dc6a8ef68febb9a23c4997e853898cecf3dfee

        • C:\Windows\SysWOW64\ummoarob.exe

          Filesize

          73KB

          MD5

          a5a507bb89ebc345caa1fea6ef68fc3a

          SHA1

          1eafc660c553b07701d4af3ec2130bce2184b200

          SHA256

          fc65c6225801d1180a4ee53a74869f61e2a75a59a1dbc985d2584fc58404ad08

          SHA512

          d682cbf4f697dc95f7c1aa66e33632fba5860c2328894705a31d54249e8cd4fbb238a81285c5ceb1bdfb492988042eb85a8af321d5383adc9a2a69e2ed89394f

        • memory/628-3-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

        • memory/4048-35-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/4752-42-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB