Overview

overview

10

Static

static

7

a5cdc8c5ff...c1.exe

windows7-x64

10

a5cdc8c5ff...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 00:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5cdc8c5ffddfc7d83f2cb92fbaac93bfd7e9cf919f7249ddeb8de93eef777c1.exe

  • Size

    33KB

  • MD5

    232be6ede67aa2a788169289d0de4de4

  • SHA1

    2dad49af3cee9589d3cc2ce4bda038560c7f589e

  • SHA256

    a5cdc8c5ffddfc7d83f2cb92fbaac93bfd7e9cf919f7249ddeb8de93eef777c1

  • SHA512

    7b42484ad1d627bf23d5b1e325e8510b6d7ed6bda9771f8f697697d8a382e66369383f70d13544a6cf728a6a74a8505287b24173d0f9807cb89fb3051403bc54

  • SSDEEP

    768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewzKOb:QuQRylaUDTDxDXjy6AB7koYy2Tb

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1392
        • C:\Users\Admin\AppData\Local\Temp\a5cdc8c5ffddfc7d83f2cb92fbaac93bfd7e9cf919f7249ddeb8de93eef777c1.exe
          "C:\Users\Admin\AppData\Local\Temp\a5cdc8c5ffddfc7d83f2cb92fbaac93bfd7e9cf919f7249ddeb8de93eef777c1.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\SysWOW64\adxecod-cur.exe
            "C:\Windows\system32\adxecod-cur.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\SysWOW64\adxecod-cur.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2468

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\adxecod-cur.exe
        Filesize

        33KB

        MD5

        232be6ede67aa2a788169289d0de4de4

        SHA1

        2dad49af3cee9589d3cc2ce4bda038560c7f589e

        SHA256

        a5cdc8c5ffddfc7d83f2cb92fbaac93bfd7e9cf919f7249ddeb8de93eef777c1

        SHA512

        7b42484ad1d627bf23d5b1e325e8510b6d7ed6bda9771f8f697697d8a382e66369383f70d13544a6cf728a6a74a8505287b24173d0f9807cb89fb3051403bc54

        Download Submit

      • C:\Windows\SysWOW64\ahciram-eadat.exe
        Filesize

        35KB

        MD5

        d08b09ebd5c8f6e7aa12d97dc46a28e1

        SHA1

        4051ca2d4ff6739303e477854339f959f3f5851f

        SHA256

        97b7d26090e107782902c7f6c6d115e996bffbe8394ccc7f8a444dcf40595621

        SHA512

        c9ae0bf0b9f6ba4dc51f87bf9e896631c8e52303bd14f4fc6bf2e9afd93d82815f76095780874aaaefb330dfb77d06333dfabc78a333a684be044d28dbe8d939

        Download Submit

      • C:\Windows\SysWOW64\earxoohoac.exe
        Filesize

        36KB

        MD5

        09beb86851b3f228e1e350f634a77a82

        SHA1

        8652bbfe5161785d68c4d39e9e43dfc284d4a092

        SHA256

        27cb18dffcae0d7020a09e70c6b9cf1e85480d8c8de48d17eb6171bbce594a94

        SHA512

        bca3eefd48d75641d57541dad3e5a17dd599e6e458505a272153184af16f4960d7c49cefa01c1c3e5964a4b47ecc0537951759d65167696a16f212a93bb35e82

        Download Submit

      • C:\Windows\SysWOW64\epdeasood.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • memory/1768-3-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2164-12-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2164-24-0x0000000000420000-0x0000000000437000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2164-58-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2164-98-0x0000000000420000-0x0000000000437000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2468-59-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download