Overview

overview

10

Static

static

7

dd79c1624b...d2.exe

windows7-x64

10

dd79c1624b...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd79c1624b8e26dd208adc46d9cc7e3df5e12d0d8429993ac5f9d0bcfd0c0cd2.exe

  • Size

    21KB

  • MD5

    3398083463c6d3c0d0685bbc3fcdb383

  • SHA1

    9eedcc74dde20cf54f8744f71d4666fbda6a5fa7

  • SHA256

    dd79c1624b8e26dd208adc46d9cc7e3df5e12d0d8429993ac5f9d0bcfd0c0cd2

  • SHA512

    2b455541393f9441ae729e7e511ec0bc9ce0d2e6ff19199e234bd596b70ae5786fef3b9509f551f39c6a3b358a832d898725cddcb8632a7826c059748d88252b

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvX8Mb7a6TrsJ:rRkiLw3HsDSARGG/MMb7rfK

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1248
        • C:\Users\Admin\AppData\Local\Temp\dd79c1624b8e26dd208adc46d9cc7e3df5e12d0d8429993ac5f9d0bcfd0c0cd2.exe
          "C:\Users\Admin\AppData\Local\Temp\dd79c1624b8e26dd208adc46d9cc7e3df5e12d0d8429993ac5f9d0bcfd0c0cd2.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        24KB

        MD5

        e3ca421df1fd122c059d788842b14add

        SHA1

        a52752eb48f9fa2e691ad2efa910c207df102aab

        SHA256

        7e4230d4c845d0beff7adff1474576bddd7801aa6b87d5ff3204c699af3bff35

        SHA512

        466e40f9fac1377a4bfa490d7d1e446e3df675121850b127a06f6996a6b4bf6441feb122b6a6a1b2095fd51c1cf881b2a714a0ce28881675434da9cf649e011c

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        25KB

        MD5

        0655d3d99e3a4fc221e0b7950f453db2

        SHA1

        89ef3a1dc7683c56af1e54f571f711eb591b4f2d

        SHA256

        b430cd49d849810339c2c7f9ab2f34b4b304628b24709348d09a9595a6eaa1ef

        SHA512

        1a5e5cb257fe7cd75d9d65ff5f7b18469f2a74054eb225b5b971d0b51554f55152bfe4f6928e3e05dcafc7c20fa33599df3b6c41c3aeb18d0dba2035683de703

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        b10b13206b0f2cf3968050072f6979bf

        SHA1

        699db21ba9cecf3f13ac3d76e22cfa41aa94da80

        SHA256

        0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4

        SHA512

        d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        21KB

        MD5

        3398083463c6d3c0d0685bbc3fcdb383

        SHA1

        9eedcc74dde20cf54f8744f71d4666fbda6a5fa7

        SHA256

        dd79c1624b8e26dd208adc46d9cc7e3df5e12d0d8429993ac5f9d0bcfd0c0cd2

        SHA512

        2b455541393f9441ae729e7e511ec0bc9ce0d2e6ff19199e234bd596b70ae5786fef3b9509f551f39c6a3b358a832d898725cddcb8632a7826c059748d88252b

        Download Submit

      • memory/1764-60-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2408-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2408-5-0x00000000003A0000-0x00000000003B1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2408-13-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2844-14-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2844-59-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download