Analysis
-
max time kernel
79s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
Resource
win10v2004-20241007-en
General
-
Target
ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
-
Size
1.7MB
-
MD5
3d89bcde7153dfa97b9dd08cc979ff1b
-
SHA1
3c43efe38b8da2317509425d384652c89a326689
-
SHA256
ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea
-
SHA512
3102ea54ae0446ff55982d73689e733b06b4f29f93b0698a963e5908d6fcaa77deed90c45089f80ae0229eab7bc6053637b1bba105c97023bfc9596bfbf8bcfb
-
SSDEEP
24576:843Q47djcrquizgwGog093Rm3q1qrTwUINmjvqZ7VnpfgYK7vjAqZJtoaEU49yt:843Q45cqPATqIXwU4KvqfpfecswH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\DMwcoMkM\\xkwwIYsA.exe," ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\DMwcoMkM\\xkwwIYsA.exe," ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 4408 IwEAYUcE.exe 3052 xkwwIYsA.exe 3240 aSAgswcQ.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwEAYUcE.exe = "C:\\Users\\Admin\\QokAIcAs\\IwEAYUcE.exe" ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xkwwIYsA.exe = "C:\\ProgramData\\DMwcoMkM\\xkwwIYsA.exe" ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aSAgswcQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IwEAYUcE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xkwwIYsA.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4868 reg.exe 3100 reg.exe 1060 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1156 vssvc.exe Token: SeRestorePrivilege 1156 vssvc.exe Token: SeAuditPrivilege 1156 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2724 wrote to memory of 4408 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 98 PID 2724 wrote to memory of 4408 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 98 PID 2724 wrote to memory of 4408 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 98 PID 2724 wrote to memory of 3052 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 99 PID 2724 wrote to memory of 3052 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 99 PID 2724 wrote to memory of 3052 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 99 PID 2724 wrote to memory of 2596 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 101 PID 2724 wrote to memory of 2596 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 101 PID 2724 wrote to memory of 2596 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 101 PID 2724 wrote to memory of 3100 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 103 PID 2724 wrote to memory of 3100 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 103 PID 2724 wrote to memory of 3100 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 103 PID 2724 wrote to memory of 4868 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 104 PID 2724 wrote to memory of 4868 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 104 PID 2724 wrote to memory of 4868 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 104 PID 2724 wrote to memory of 1060 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 105 PID 2724 wrote to memory of 1060 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 105 PID 2724 wrote to memory of 1060 2724 ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe 105 PID 2596 wrote to memory of 2696 2596 cmd.exe 110 PID 2596 wrote to memory of 2696 2596 cmd.exe 110 PID 2596 wrote to memory of 2696 2596 cmd.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\QokAIcAs\IwEAYUcE.exe"C:\Users\Admin\QokAIcAs\IwEAYUcE.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\ProgramData\DMwcoMkM\xkwwIYsA.exe"C:\ProgramData\DMwcoMkM\xkwwIYsA.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exeC:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea3⤵PID:2696
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4868
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1060
-
-
C:\ProgramData\PEYckUYM\aSAgswcQ.exeC:\ProgramData\PEYckUYM\aSAgswcQ.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3240
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD56b1492b9b98a4c4fa51ac89c9eb951d7
SHA171496af1bf817b196fbaf962402c151bf28bff29
SHA256105056aa51a762722a11dadc25c30db4c0e656bec8e86e7116785782740504c2
SHA5129a7751b9a6c97b6cc98de3816c76c3e0b4f80699c6da305083e85b15c3ba7e1704ebda410b597475a7155595ba005b209872a3b44fb3856e7871468f11a8b9fd
-
Filesize
1.7MB
MD5cf4db1787c480813c5183e9909726a1b
SHA11fcb2640626c823a01ac9bdb1ba47a746ebf8298
SHA256e8557a355470c57ff1138c07990679916d5b45ec7d2a44cb8ff8b0b258876497
SHA5124b15549e6b94e3e044470b514cd6b2760972168cd63d44a5e6c89094a9ae7ba4723149d47a21d5e2ee46cb4536a5b0ed5721966351fe367951a7590d1d5f3b9c
-
Filesize
1.7MB
MD54c4e0863cef0cd5ed2f5f11e1067a9fe
SHA1329bebd908657c8e1909c9a43cfe3bb5742a7d75
SHA256deefb545aa281b0b4028fa53eec619acfa49793a3b8b19aa39d6593c7c7958f4
SHA5129dd38de57706daabd4c7bcf52084523f21b935f23fad445b77fce6aec21d4a1cf1ca1266d642b191138df1c22c535908add830665ebc779d467c79f6735f8e2a