8abb47ca7c0c4871c28b89aa0e75493e5eb01e403272888c11fef9e53d633ffe

General

Target

21.exe
Size

54KB
MD5

ebefee9de7d429fe00593a1f6203cd6a
SHA1

4bed4b7f9d15e5f4cfe6b8e61f7bca865b7ce641
SHA256

8abb47ca7c0c4871c28b89aa0e75493e5eb01e403272888c11fef9e53d633ffe
SHA512

dee06c0ec0dc0a9be293f5916e39cac62fd78293a9c5b645f3a94c315d8c324276cb52ebd12c9236c160ad28ede02c6b96e8b40eaef63675395b0822960483ad
SSDEEP

768:4EyjLgnDw5oEC+WOill+du3tOWxZtrDm9qPcQ4qWto9iP22WIps6qceX5VykiKoG:2LgDwjC+WOE+Q9FZtrDGHUuUIjgps4v

Score

10^/10

discovery evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	21.exe

Deletes itself 1 IoCs

pid	Process
4916	rundll32.exe

Loads dropped DLL 7 IoCs

pid	Process
3316	rundll32.exe
4916	rundll32.exe
4044	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1860-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1860-8-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd028.ocx	21.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\whh02053.ocx	21.exe
File opened for modification	C:\Program Files\Common Files\whh02053.ocx	21.exe
File created	C:\Program Files\Common Files\0E57A43Fce.dll	21.exe
File opened for modification	C:\Program Files\Common Files\0E57A43Fce.dll	21.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3316	rundll32.exe
672	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3316	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4044	1860	21.exe	80
PID 1860 wrote to memory of 4044	1860	21.exe	80
PID 1860 wrote to memory of 4044	1860	21.exe	80
PID 1860 wrote to memory of 3316	1860	21.exe	81
PID 1860 wrote to memory of 3316	1860	21.exe	81
PID 1860 wrote to memory of 3316	1860	21.exe	81
PID 1860 wrote to memory of 4916	1860	21.exe	82
PID 1860 wrote to memory of 4916	1860	21.exe	82
PID 1860 wrote to memory of 4916	1860	21.exe	82

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	21.exe

C:\Users\Admin\AppData\Local\Temp\21.exe
"C:\Users\Admin\AppData\Local\Temp\21.exe"
1⤵
- UAC bypass
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd028.ocx" InstallSvr0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0E57A43Fce.dll" InstallSvr3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh02053.ocx" InstallSvr1 C:\Users\Admin\AppData\Local\Temp\21.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\0E57A43Fce.dll

Filesize
6KB

MD5
6fb92d25078bfff1c215229067b5beaa

SHA1
3d9a6f564f492b30981359bbcee5f9e02536e3be

SHA256
5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

SHA512
9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

Download Submit
C:\Program Files\Common Files\whh02053.ocx

Filesize
62KB

MD5
17912e2f2e631f4c7d452206ab354d70

SHA1
0d7535148d0ff1219c8ccb9418a7ed43a16f83ac

SHA256
cc7c8faec19adbed2ada843c83202276aa13aadde78983d0ff6140b9cab5e5e9

SHA512
40cfd922ca2da71e33a1f715fc04563f18cd19dc44ddf0fce2142cd581c6481931525bf0fdcdc7c4a57307c5270a83f4ab76c9175986dfa6be6323efe776710f

Download Submit
C:\Windows\SysWOW64\whhfd028.ocx

Filesize
11KB

MD5
6b51354fb017488210e58687462ee83e

SHA1
d3623503867948285e9d4741f058d693decd1c17

SHA256
5707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715

SHA512
ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406

Download Submit
memory/1860-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1860-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3316-27-0x0000000000A63000-0x0000000000A64000-memory.dmp

Filesize
4KB

Download
memory/3316-24-0x0000000000A60000-0x0000000000A74000-memory.dmp

Filesize
80KB

Download
memory/3316-18-0x0000000000A60000-0x0000000000A74000-memory.dmp

Filesize
80KB

Download
memory/3316-15-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4044-23-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4044-26-0x0000000000AC3000-0x0000000000AC4000-memory.dmp

Filesize
4KB

Download
memory/4044-25-0x0000000000AC0000-0x0000000000AD4000-memory.dmp

Filesize
80KB

Download
memory/4044-21-0x0000000000AC0000-0x0000000000AD4000-memory.dmp

Filesize
80KB

Download
memory/4916-22-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads