Overview

overview

10

Static

static

3

d6b4d656a0...0N.exe

windows7-x64

10

d6b4d656a0...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 18:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d6b4d656a00fd7aae69fb558bb5dba30N.exe

  • Size

    80KB

  • MD5

    d6b4d656a00fd7aae69fb558bb5dba30

  • SHA1

    587b128fa375a51082e249dd8ab6d7a64c59eecd

  • SHA256

    ba4e9f1436254a4e3ee987d63fff0d137dc939d8575f1d5a2f7be7d8d3d86258

  • SHA512

    35434db98d31164b4fdc7867798d75e4ca4b2546ede0b06350d65ab07c82f7290691889644d3cdb5c35114467a349378ff4a81bfa6f856d1e068618ecdb964f9

  • SSDEEP

    768:eLxqBt1sJw5pVNUP1/kvtbWcpmCKXTak3QIXjLZJ2bXfqQKMq+gjTAfu/MB8QKp2:Bteq0QIXJJyXEv/MBK67lALNtnd1PBwN

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6b4d656a00fd7aae69fb558bb5dba30N.exe
    "C:\Users\Admin\AppData\Local\Temp\d6b4d656a00fd7aae69fb558bb5dba30N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\umtuxean-ecixú±¬±
      "C:\Windows\system32\umtuxean-ecixú±¬±"
      2⤵
      • Windows security bypass
      • Boot or Logon Autostart Execution: Active Setup
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Indicator Removal: Clear Persistence
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\umtuxean-ecixú±¬±
        ùù¿çç¤
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2800

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\iffeaxeam-afootú±¬±
          Filesize

          82KB

          MD5

          b5be9e19d2f553cedc3a840dcdcb7fd7

          SHA1

          931f5ea27c2adb61d5905fd7f6f424322b9e873f

          SHA256

          bb6e322b408121ac4321dc8af4a1905022e86d6eb4cb2f854da8062423764193

          SHA512

          a59e72428fd9b532291de76f221c4978e089b3774530e7aabb7a628ad1449c953e0efb6dcd75331ae18a6cb78b8a46e56258d83188b59b865500d2ca9af6c045

          Download Submit

        • C:\Windows\SysWOW64\ofbotitú°¸¸
          Filesize

          5KB

          MD5

          48c45e05569f9a5665d082fbdc116c14

          SHA1

          e491ab1327b88312fc6d0535621b6de733c8efb5

          SHA256

          7e916f847bb5de3e09b36bd527e09ed656df13296bdcd9924185bcccde7dbe4c

          SHA512

          e1cc47e185831dc6c40372efc227f299964f262c641b790d31f0fe452a5bc70a4946c689913504c64790833c131d40c01fcd9ff3a148636be9f502959f7cc49c

          Download Submit

        • C:\Windows\SysWOW64\umtuxean-ecixú±¬±
          Filesize

          80KB

          MD5

          d6b4d656a00fd7aae69fb558bb5dba30

          SHA1

          587b128fa375a51082e249dd8ab6d7a64c59eecd

          SHA256

          ba4e9f1436254a4e3ee987d63fff0d137dc939d8575f1d5a2f7be7d8d3d86258

          SHA512

          35434db98d31164b4fdc7867798d75e4ca4b2546ede0b06350d65ab07c82f7290691889644d3cdb5c35114467a349378ff4a81bfa6f856d1e068618ecdb964f9

          Download Submit

        • C:\Windows\SysWOW64\urkemamú±¬±
          Filesize

          83KB

          MD5

          ddc8e68f2eb3f7f06c9efb7ec0f06e38

          SHA1

          c316ce905020e860240fa1cffeed9c766efd0b08

          SHA256

          2ba68fbf0b67288059f388c38677cc1aba90f498f79b3bb29229c0c1bddd5540

          SHA512

          769614124bc265d2bd98de304245dc726bf8fc86739e0c104fa5422134124d187b0de8a61e69fd9cd475650aeaba59316cf96cc42e15b1d10123058843d2eaf1

          Download Submit

        • memory/1064-8-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2800-55-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3016-54-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download