Overview

overview

10

Static

static

3

fa942c291c...85.exe

windows7-x64

10

fa942c291c...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/08/2024, 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa942c291c3e28d763540e7aad36adbc1113b6fdbb2103e44a62635e932f0e85.exe

  • Size

    89KB

  • MD5

    e7e6bb99632eb1037d33f5a3d7394f4d

  • SHA1

    8a630d9115f32a2ca1907eaf53c2c5b907662251

  • SHA256

    fa942c291c3e28d763540e7aad36adbc1113b6fdbb2103e44a62635e932f0e85

  • SHA512

    605e89a0ea8af26c0c8ebe7f9c2f4d23f9e21b73de6034b541f93c94dede8b45432d85bc06a58c6155d44628bf8b0031f14442040ff80f07d92b2dfd8102c5e1

  • SSDEEP

    1536:se2sLc0T1ddPDNTGd8Lxqa8lG+DhisVOKYNlb8dxQ9v:d2sLJ1djdEaexVisIKYNlNv

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1216
        • C:\Users\Admin\AppData\Local\Temp\fa942c291c3e28d763540e7aad36adbc1113b6fdbb2103e44a62635e932f0e85.exe
          "C:\Users\Admin\AppData\Local\Temp\fa942c291c3e28d763540e7aad36adbc1113b6fdbb2103e44a62635e932f0e85.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\oudpoopoas.exe
            "C:\Windows\SysWOW64\oudpoopoas.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Windows\SysWOW64\oudpoopoas.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eafleabat.exe
        Filesize

        89KB

        MD5

        3e7c2723840f804ee02b38234a17b6d5

        SHA1

        f42c7f352599fa5c0956b55310b6afe834f5effa

        SHA256

        c8aa96a56573148b5727b95c85b7257b29cdb4f9028b1ebc0b94f70ce33e2268

        SHA512

        3ba55ba79b6e574a75864061a29605d41841350db3671ed3d1bfe8f2647bffd45fe32ed354e46ee37e518cdffa767c90cdc283ab784d8ac368386acb6f0a651f

        Download Submit

      • C:\Windows\SysWOW64\impesut-acid.exe
        Filesize

        90KB

        MD5

        e0db7847dbff8f1b6664fd8f64a4b444

        SHA1

        2507aa072dffe2107ec5e2b04d9cda2f73fd4a75

        SHA256

        c214c61e46d21829910d3b7076a7458de1e6e6d190e1bff2441a6d79873d27f4

        SHA512

        bebbfa5f5a346168cc522456b294ee9889e2f945776389e8b41a405477ce9b3417eddcb6460678fdaaf4224e8b1acc65777d621a0ba07fe73e674fca2c3c0d0b

        Download Submit

      • C:\Windows\SysWOW64\okpoatoat.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • \Windows\SysWOW64\oudpoopoas.exe
        Filesize

        87KB

        MD5

        9af5f91d5084605aa21d4522cd91e9bf

        SHA1

        453120907e13264ff4343c50a62b980aaf7fc5bf

        SHA256

        5ebad97566148fcae892a264f42522b0ec45c36539305eb4eba5523a93de6d36

        SHA512

        3ae783b7df1a87e6628a9c4fd3d745fcc15dbe82f9000c630101c12a1b0500967e8379647e72f1e79fff49d8daf351055bc8f7c3f6351230e20f0e51d4fdfb5d

        Download Submit

      • memory/1712-10-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1712-76-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2280-2-0x0000000000020000-0x0000000000038000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2280-8-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2704-92-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download