Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 15:24

General

  • Target

    37dabbe49da270a4867b67bcbdf26110N.exe

  • Size

    568KB

  • MD5

    37dabbe49da270a4867b67bcbdf26110

  • SHA1

    67ff7fe72202bd7df0addd19f1b771b19576222e

  • SHA256

    2b57890accb6a045723f3cc849ab93df9c35a4d68574387177b733bda715f0b9

  • SHA512

    386f25df7d1c1e2320c0ad5f69a0279a7e5c837e5378598ea99a2d05f410e4364e82c607aebae45da9fb9ba6f1b1510443be719fb5f4cfab9f7c8b8340238b89

  • SSDEEP

    12288:6pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsi7KaIr:6pUNr6YkVRFkgbeqeo68FhqT7KaIr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 20 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 25 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37dabbe49da270a4867b67bcbdf26110N.exe
    "C:\Users\Admin\AppData\Local\Temp\37dabbe49da270a4867b67bcbdf26110N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Users\Admin\AppData\Local\Temp\bfvvvpvslpf.exe
      "C:\Users\Admin\AppData\Local\Temp\bfvvvpvslpf.exe" "c:\users\admin\appdata\local\temp\37dabbe49da270a4867b67bcbdf26110n.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2396
      • C:\Users\Admin\AppData\Local\Temp\bfnnx.exe
        "C:\Users\Admin\AppData\Local\Temp\bfnnx.exe" "-C:\Users\Admin\AppData\Local\Temp\yngrmarbriktotyx.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2656
      • C:\Users\Admin\AppData\Local\Temp\bfnnx.exe
        "C:\Users\Admin\AppData\Local\Temp\bfnnx.exe" "-C:\Users\Admin\AppData\Local\Temp\yngrmarbriktotyx.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\dbdxbyyrqqbtxlzhbmljl.jgg

    Filesize

    280B

    MD5

    3fd227980d75a1a8676860dd3ef69b73

    SHA1

    ed064c88359c648f95115b2f63aa8ea579feaa45

    SHA256

    85c202e4b3c07333c97426cc876ad2418185645403276fdfb2e1359ac8216205

    SHA512

    106f26ec98602d90f8e06eee04af663263f05330bbee9f142f4ae933c9454d51b62bd6665ba30e358ab0fac6786ce7679efaf9d92e63b6ea268c38f2cc7db09b

  • C:\Program Files (x86)\dbdxbyyrqqbtxlzhbmljl.jgg

    Filesize

    280B

    MD5

    1abf33531ecad3e8a5b9c6ee7be765ee

    SHA1

    ffd46840e3f4e62021e426bd2cc77715657ca45d

    SHA256

    70224c5e10a4bde89ff2a8d9ed5bebd9d67d0cae7b2445c934aa987ee2e2cf20

    SHA512

    45b8d5a880a65dcc156a3025712347db1df4c2a50f37457b2d52ff73dc549e878a86e300f2b24481d7b1b6c304bffa46cb8c5c9682d34793f632c96d2a4da053

  • C:\Program Files (x86)\dbdxbyyrqqbtxlzhbmljl.jgg

    Filesize

    280B

    MD5

    950600f9024bb2d6ead861640f851425

    SHA1

    1739d60272499252ab0e6386361faa06d974ce31

    SHA256

    81cc8c5b8414d6a95fc1cf64d801e6a95b56bcce211de79bfe996619b3f1dee6

    SHA512

    a3113880f5ecf437a30113d642e417a279826f5f781949744ad49cf8c6d917793e8fcd22eca1c3a929c70ae1119ea4574f6bfdea827502901b7b561d557978a8

  • C:\Program Files (x86)\dbdxbyyrqqbtxlzhbmljl.jgg

    Filesize

    280B

    MD5

    afd61067dea574a4c9d7ddd239a7b071

    SHA1

    a5b0709edfb18712dbb76ee4dc72efff8748cc25

    SHA256

    16b0435dda88f91e643ea1afa4347d8750139fa068bd45298849b34a492f81b8

    SHA512

    c36e832a0a8b7779f42c069b10fb3f1bd1b1bc967869e50fa2c22648ca7577f80b945e4b99dcff20a6ec2bf7ed109aafbbb9b81db764bb7bebafdb217e41df0d

  • C:\Users\Admin\AppData\Local\dbdxbyyrqqbtxlzhbmljl.jgg

    Filesize

    280B

    MD5

    32496e0e1a294c6e439afd50fd03ac3b

    SHA1

    14eebfe112f901fb1248ed32ca4287f6db189ac2

    SHA256

    470dd68fd38c7428618104a6c448a45996c91b70b49aa0623728219e1bbbf79d

    SHA512

    88083647775c4e460e14e2b2657efebb2c0e379e33709941113679936fc51a6a4d83c878587f08d67f1453017bf5419592e112f08318fb440602bfdc296bb7ea

  • C:\Users\Admin\AppData\Local\dbdxbyyrqqbtxlzhbmljl.jgg

    Filesize

    280B

    MD5

    546f36f62f7fe0573a376d3704259191

    SHA1

    3133d5fe10ab6c0ee2ebe380784c93f31fa9d0aa

    SHA256

    e07dd599f5b077446bb370434d96d8ab6d4bd3d41b040de59b09e2e0734092cf

    SHA512

    e28b6e3ee8dd9bb8a720f8a0cb98b0f5dc4930262f530f11566b689d88ee7ece5942420cb61373e4af46ca21994dbfa25675749377daa94e95f8e558b078bd01

  • C:\Users\Admin\AppData\Local\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok

    Filesize

    4KB

    MD5

    92c9295ef18265a6a380feafbe5f0084

    SHA1

    e5914ad562fbe3393e035baa1c31c110ec0b0fdf

    SHA256

    19d48cb32a6151d521614742c6ef8234c3207baf2d07c8731e5448c2b65965ba

    SHA512

    df4f3c27cf5a4b95ce08286d219df5ee2e06a57ad3ebd505fdfc788be7f333537b75cc8a815daee4208bd51756155fc125752754911ab67ac0d9d5b9ff4d86d0

  • C:\Windows\SysWOW64\ofankatfxqufcjqrei.exe

    Filesize

    568KB

    MD5

    37dabbe49da270a4867b67bcbdf26110

    SHA1

    67ff7fe72202bd7df0addd19f1b771b19576222e

    SHA256

    2b57890accb6a045723f3cc849ab93df9c35a4d68574387177b733bda715f0b9

    SHA512

    386f25df7d1c1e2320c0ad5f69a0279a7e5c837e5378598ea99a2d05f410e4364e82c607aebae45da9fb9ba6f1b1510443be719fb5f4cfab9f7c8b8340238b89

  • C:\yhuzowhlvg.bat

    Filesize

    496KB

    MD5

    5e71f47c46a7988db192c12704abc5d8

    SHA1

    5befc4cf9ad0c1028fbfb72c69c8b7f99ca01f10

    SHA256

    2cafe011377cbd1d1ca9291e599f6707d061e764e6b3c561a7ff615ddc2c8ef5

    SHA512

    e8e4b290822811d8786d43d1a2d4477c5321f717413e1a167c71cb6da50b1c3c3df946bd1fc75b741c15a6c1bc81a17abc1037a917b5b82f5ff33fa8d3dcc987

  • \Users\Admin\AppData\Local\Temp\bfnnx.exe

    Filesize

    708KB

    MD5

    69d76e82e4c8597a3c0e2408edc79838

    SHA1

    955611b88b5313abdf58b599fc13c929d6e5ffec

    SHA256

    245b5f04bff0c95a1c66ee8d5c1e9f559256034f9f2389585cebf08e6764701a

    SHA512

    edf2902e6d6450f8a04d232a96485b1c54e4d457d5377733336acaa8f450db3876094bc2725036992411e75f6f7c8807642187dcb46a2e93b642b37b4f1dea62

  • \Users\Admin\AppData\Local\Temp\bfvvvpvslpf.exe

    Filesize

    320KB

    MD5

    a44eb5eef3ca839b339c12b436fa2cc2

    SHA1

    722c3dc39f0b5228b77988c8445d0e68b43d28a0

    SHA256

    1071edb8bc287d8feea57d35f7f7ebcf484458d67cf53713fe973d2d7b8cf42e

    SHA512

    38c3daeca058928fb05d338d2da51b24679b1fe19ba2b18c8f3fe2fa88501120320329d6820637908a8eaf953b70495b56a6dfc1c80294b54f7e1f8533fbb909