Overview

overview

10

Static

static

7

e1abbbb2c7...0N.exe

windows7-x64

10

e1abbbb2c7...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1abbbb2c77bc61d5ef54369ed147590N.exe

  • Size

    87KB

  • MD5

    e1abbbb2c77bc61d5ef54369ed147590

  • SHA1

    4e6934ab28c53502c493a15bf76c9d58a80556e5

  • SHA256

    92cd279789d0d3eac1751b83c07f4fcb14aaeef6184e320605745bae93afb4c8

  • SHA512

    f1912f61592fc7df10c683a39f8e30037198b221ae19f6848fd8e7dcc1546f8dece849d7ec23732b1670a91328d1ee3c7d6f3c397a0a693b810d9adb6dea8137

  • SSDEEP

    768:3Og167GTCGTL9tCqwhX52pwTu5gV62i9wb4CWYLyAKfPXvByNGOLDd5FBEewN4WU:x0Y9WV32pau5gV62++Kf/vw/d5Uh4AW

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3520
        • C:\Users\Admin\AppData\Local\Temp\e1abbbb2c77bc61d5ef54369ed147590N.exe
          "C:\Users\Admin\AppData\Local\Temp\e1abbbb2c77bc61d5ef54369ed147590N.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:992
          • C:\Windows\SysWOW64\unlekom.exe
            "C:\Windows\system32\unlekom.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1404
            • C:\Windows\SysWOW64\unlekom.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3056

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eamboteam-eacid.exe
        Filesize

        89KB

        MD5

        2a9e10aadd0b5cdba9ab80b8796ce89f

        SHA1

        cc550f8592f305a04aad4c17990572f3d7a586ce

        SHA256

        c7ee8d9497afada5b3caa21c788167243524c6bb198600176e9d9579c47999af

        SHA512

        d0fcf881580c0ac3ecff20c179776bb1223b0986f0d8ea73e5a1130d0f098c0d79cc7546a14353779102b0bf9c23671030725309c54b642c7e95807ab3430fdc

        Download Submit

      • C:\Windows\SysWOW64\etbatoar.exe
        Filesize

        90KB

        MD5

        33e274dbdcc0c97f1e2d052bb5bd9cce

        SHA1

        f090dca0c6c6452196c074eb787b60031d413c83

        SHA256

        db9031c2349fd04cf75c71a3a137b948bbd2ffd4ea25cfeb43845ccbe7e2c993

        SHA512

        5efa6b5f43b2f3cfc0d4f6ee7423956c6b1b476350025d7c58d0aa17ab7d3b237f5a91f31d70d8dae144c192d9b668ea3b6e2c98ca1e0d652e44a11b4eccc8ef

        Download Submit

      • C:\Windows\SysWOW64\gboapin.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • C:\Windows\SysWOW64\unlekom.exe
        Filesize

        87KB

        MD5

        e1abbbb2c77bc61d5ef54369ed147590

        SHA1

        4e6934ab28c53502c493a15bf76c9d58a80556e5

        SHA256

        92cd279789d0d3eac1751b83c07f4fcb14aaeef6184e320605745bae93afb4c8

        SHA512

        f1912f61592fc7df10c683a39f8e30037198b221ae19f6848fd8e7dcc1546f8dece849d7ec23732b1670a91328d1ee3c7d6f3c397a0a693b810d9adb6dea8137

        Download Submit

      • memory/992-0-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/992-7-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1404-8-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1404-42-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3056-47-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download