Overview

overview

10

Static

static

3

45e710b0d0...0N.exe

windows7-x64

10

45e710b0d0...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 10:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    45e710b0d080e31929a72df09002c7d7ca32a627145e3a1833cbcc101d0a3ce0N.exe

  • Size

    70KB

  • MD5

    6865f64a2a2373e687c527769fc19e70

  • SHA1

    e3013d5f2fe8a0b6902a0444da143db941361218

  • SHA256

    45e710b0d080e31929a72df09002c7d7ca32a627145e3a1833cbcc101d0a3ce0

  • SHA512

    e8739582fd90b81b54c842ef4d24b462c222465ebf111830f389c89e5195b63990b082bbf08066e88195b7e20dd0c270c420acd5722b3129ca77bcaf14d08c90

  • SSDEEP

    1536:xCbu2+qEzyX/vh4K+AI5JZC17qNfeCIG3nc3ij/OVVhcEnYMTR:gu2+qEzyX/vh4K+AI5JZCMN1I2nSiDOb

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45e710b0d080e31929a72df09002c7d7ca32a627145e3a1833cbcc101d0a3ce0N.exe
    "C:\Users\Admin\AppData\Local\Temp\45e710b0d080e31929a72df09002c7d7ca32a627145e3a1833cbcc101d0a3ce0N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\oufvurax-adooc.exe
      "C:\Windows\SysWOW64\oufvurax-adooc.exe"
      2⤵
      • Windows security bypass
      • Boot or Logon Autostart Execution: Active Setup
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Windows security modification
      • Indicator Removal: Clear Persistence
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\oufvurax-adooc.exe
        ùù¿çç¤
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4056

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\obkesoop-avom.exe
          Filesize

          71KB

          MD5

          159830676d7513651e48cb3b4f162d69

          SHA1

          7a30b13f8fc298dac954fb8b8fda988842d49154

          SHA256

          39b09799ec1cbbb89e537d44f8165d1e4b7b8897b77cf3470c2e4b38960714b0

          SHA512

          5b3b15c2695432af46fce3211e6d529a8866893309960f43558ee213680ec5bf72ff293fd52ee76ebfb19ab0f633aee5a64045b78417e8f3760c8cd1053c105c

          Download Submit

        • C:\Windows\SysWOW64\oufvurax-adooc.exe
          Filesize

          68KB

          MD5

          5255e50a4b149cc0850824fad3c6b889

          SHA1

          99869fca6025e50857159bab42461c9f2b0ff64d

          SHA256

          6afde33f3d4a4f51cf68a1503e744da4e452ffe1f9af9991631fc22203152da0

          SHA512

          36fe8d3aae67a2f01a30ef948e683f75ce581d253f9c7ac79f71468dfc9c90fb0e5f05525260f80948c3ebe49c3f914db7fe9a64df367129ef56d27cf72d3b3e

          Download Submit

        • C:\Windows\SysWOW64\oulxoted.exe
          Filesize

          70KB

          MD5

          1777ed9fc26b9d65a6258ebac1e2ac21

          SHA1

          8afc695c66d607fbfc559031f44d0e812fa62beb

          SHA256

          85bae7cab7d2e2878913ea4195b631aa087dbbe11957926c8ad9c9d494cda6e2

          SHA512

          818c1390bd25adcaec25b705d5281cc7538583f555b31ea3b5aab4cf31b6eb5b1f0bc38316ab3eb63ecf0158d0fe0bb25ebc671a41fca18b1c13b63327834975

          Download Submit

        • C:\Windows\SysWOW64\utlohur.dll
          Filesize

          5KB

          MD5

          f37b21c00fd81bd93c89ce741a88f183

          SHA1

          b2796500597c68e2f5638e1101b46eaf32676c1c

          SHA256

          76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

          SHA512

          252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

          Download Submit

        • memory/1680-3-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2448-44-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4056-45-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download