Overview

overview

10

Static

static

3

81d3b5c3ab...cN.exe

windows7-x64

10

81d3b5c3ab...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81d3b5c3abd888345da43a96a2b9c6e70769317b5f738f1ef2e45f800c1412ecN.exe

  • Size

    71KB

  • MD5

    91e7ea17217219ae6ff5e247a80486d0

  • SHA1

    67256a5f430a8f92745107bd607058c0360dc962

  • SHA256

    81d3b5c3abd888345da43a96a2b9c6e70769317b5f738f1ef2e45f800c1412ec

  • SHA512

    2b784d1f8ef7155d84d39aa10ccb83f18caea5f7c1b34de285386aee881e401f75fb2ea98b07c24fbfa6f90f5bba8c452cd7de5ad2f59c1078d1384df760cedc

  • SSDEEP

    1536:xCbu2+qEzyX/vh4K+AI5JZC17KNfMCIG3nc3ij/OVVhcEnYJhy:gu2+qEzyX/vh4K+AI5JZCMNbI2nSiDOJ

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:624
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3376
        • C:\Users\Admin\AppData\Local\Temp\81d3b5c3abd888345da43a96a2b9c6e70769317b5f738f1ef2e45f800c1412ecN.exe
          "C:\Users\Admin\AppData\Local\Temp\81d3b5c3abd888345da43a96a2b9c6e70769317b5f738f1ef2e45f800c1412ecN.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\ourgeafon.exe
            "C:\Windows\SysWOW64\ourgeafon.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4024
            • C:\Windows\SysWOW64\ourgeafon.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1244

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\agxines.exe
        Filesize

        71KB

        MD5

        4ba9ac85957606739c750fea20c05e31

        SHA1

        a96244b8161ec33e4279c01f1086a84fb45a376e

        SHA256

        7a9fdf5e2775122dec85941076bb5b990e4ceda233262d7bd826dd9587cc0fe4

        SHA512

        62760d7984b1f50f2daf22c27549c06d9182859f70cff7a6de8b787e12ca1bd29068b60b8c54bf85c73c84d7bd4c22965a4b47cf9422cfb064caeaaa969d63d5

        Download Submit

      • C:\Windows\SysWOW64\osboobak-emoas.exe
        Filesize

        72KB

        MD5

        e11b64a0b0d06c356359931354d80ec6

        SHA1

        723ded4f51464411aee277a2ae7472fee44ca6e4

        SHA256

        6fb0fd9b342187c7e5486c93cb88646e032c42d958ac6dff12017145b5bbcc77

        SHA512

        2fdeffc95974e7b10be7dc26376c01302c3a5c55b21fb9fb5b38dbf7e4f8e0e46b509c0f3b01f246438a905f735382ef25a9c88bfc44df141e139adaee4feb81

        Download Submit

      • C:\Windows\SysWOW64\ourgeafon.exe
        Filesize

        68KB

        MD5

        753a7c7814a258f71cbe0d8d32663fa5

        SHA1

        1c2256b5d0ddc6d2e0ca5b44e0ea9aab832fb69c

        SHA256

        740c16aaf9acdfd1aac8131f1ea244652fe3c0e57a1d5175ff9ba7094de0fc1b

        SHA512

        b130da6d07edb6f8058f97bd18eaec07cb7db91688c193f4ebb63d738329383891bde169d2e9af4a1b8138e059530b962561ab49bd9188caeeb042bd74312bfd

        Download Submit

      • C:\Windows\SysWOW64\uthovof-edeab.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • memory/1244-45-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2144-4-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4024-44-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download