Analysis

  • max time kernel
    79s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:31

General

  • Target

    ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe

  • Size

    1.7MB

  • MD5

    3d89bcde7153dfa97b9dd08cc979ff1b

  • SHA1

    3c43efe38b8da2317509425d384652c89a326689

  • SHA256

    ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea

  • SHA512

    3102ea54ae0446ff55982d73689e733b06b4f29f93b0698a963e5908d6fcaa77deed90c45089f80ae0229eab7bc6053637b1bba105c97023bfc9596bfbf8bcfb

  • SSDEEP

    24576:843Q47djcrquizgwGog093Rm3q1qrTwUINmjvqZ7VnpfgYK7vjAqZJtoaEU49yt:843Q45cqPATqIXwU4KvqfpfecswH

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
    "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\QokAIcAs\IwEAYUcE.exe
      "C:\Users\Admin\QokAIcAs\IwEAYUcE.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4408
    • C:\ProgramData\DMwcoMkM\xkwwIYsA.exe
      "C:\ProgramData\DMwcoMkM\xkwwIYsA.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea.exe
        C:\Users\Admin\AppData\Local\Temp\ebae0e7c344b513c8bca62b08a25b321e047c4776cd813d2f5791ed0e2a82bea
        3⤵
          PID:2696
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        2⤵
        • Modifies visibility of file extensions in Explorer
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3100
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4868
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        2⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1060
    • C:\ProgramData\PEYckUYM\aSAgswcQ.exe
      C:\ProgramData\PEYckUYM\aSAgswcQ.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3240
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\DMwcoMkM\xkwwIYsA.exe

      Filesize

      1.8MB

      MD5

      6b1492b9b98a4c4fa51ac89c9eb951d7

      SHA1

      71496af1bf817b196fbaf962402c151bf28bff29

      SHA256

      105056aa51a762722a11dadc25c30db4c0e656bec8e86e7116785782740504c2

      SHA512

      9a7751b9a6c97b6cc98de3816c76c3e0b4f80699c6da305083e85b15c3ba7e1704ebda410b597475a7155595ba005b209872a3b44fb3856e7871468f11a8b9fd

    • C:\ProgramData\PEYckUYM\aSAgswcQ.exe

      Filesize

      1.7MB

      MD5

      cf4db1787c480813c5183e9909726a1b

      SHA1

      1fcb2640626c823a01ac9bdb1ba47a746ebf8298

      SHA256

      e8557a355470c57ff1138c07990679916d5b45ec7d2a44cb8ff8b0b258876497

      SHA512

      4b15549e6b94e3e044470b514cd6b2760972168cd63d44a5e6c89094a9ae7ba4723149d47a21d5e2ee46cb4536a5b0ed5721966351fe367951a7590d1d5f3b9c

    • C:\Users\Admin\QokAIcAs\IwEAYUcE.exe

      Filesize

      1.7MB

      MD5

      4c4e0863cef0cd5ed2f5f11e1067a9fe

      SHA1

      329bebd908657c8e1909c9a43cfe3bb5742a7d75

      SHA256

      deefb545aa281b0b4028fa53eec619acfa49793a3b8b19aa39d6593c7c7958f4

      SHA512

      9dd38de57706daabd4c7bcf52084523f21b935f23fad445b77fce6aec21d4a1cf1ca1266d642b191138df1c22c535908add830665ebc779d467c79f6735f8e2a

    • memory/2724-0-0x0000000002300000-0x0000000002315000-memory.dmp

      Filesize

      84KB

    • memory/2724-1-0x0000000002300000-0x0000000002315000-memory.dmp

      Filesize

      84KB

    • memory/2724-2-0x000000000040C000-0x000000000049C000-memory.dmp

      Filesize

      576KB

    • memory/2724-14-0x000000000040C000-0x000000000049C000-memory.dmp

      Filesize

      576KB