Overview

overview

10

Static

static

5

512b5deba1...eb.exe

windows7-x64

10

512b5deba1...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb.exe

  • Size

    55KB

  • MD5

    aaff8d22681e8bdee3c3ba55007f673f

  • SHA1

    aa94b52ee5290629165387bb0e7bdf3600e7a073

  • SHA256

    512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb

  • SHA512

    7e097d80b931aaa992b47f76c01eaa7e13c95fcc9d62d0b899216e0309563f32a6b0cb609e4540d81f8a4d3590f7fa277c124d2d6430f9409cf8f5c43f15792a

  • SSDEEP

    1536:T4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNs2:T4dzVTaer344JzthRZijQ1Js

Score
10/10
adwaredefense_evasiondiscoveryevasionexploitpersistenceprivilege_escalationstealerupx

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 16 IoCs
    evasion
  • Modifies security service 2 TTPs 8 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 50 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 13 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Drops file in Drivers directory 64 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 47 IoCs
    persistence
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Possible privilege escalation attempt 20 IoCs
    exploit
  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Modifies file permissions 1 TTPs 20 IoCs
    discovery
  • Modifies system executable filetype association 2 TTPs 46 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Indicator Removal: Clear Persistence 1 TTPs 47 IoCs

    remove IFEO.

    defense_evasion
  • Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 59 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb.exe
    "C:\Users\Admin\AppData\Local\Temp\512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\8D8B.tmp\8D8C.bat C:\Users\Admin\AppData\Local\Temp\512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb.exe"
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\system32\fsutil.exe
        fsutil dirty query C:
        3⤵
          PID:2932
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\hal.dll /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1728
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\hal.dll /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2928
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winload.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1512
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winload.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2364
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winresume.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4832
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2344
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winlogon.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2660
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1076
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\wininit.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2260
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2020
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4144
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1792
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\regedit.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3664
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3332
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\taskmgr.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1500
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3300
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\consent.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2920
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\consent.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:8
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\drivers /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3060
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\drivers /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:440
        • C:\Windows\System32\reg.exe
          reg delete HKLM /f
          3⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Modifies firewall policy service
          • Modifies security service
          • Boot or Logon Autostart Execution: Active Setup
          • Boot or Logon Autostart Execution: Port Monitors
          • Event Triggered Execution: Image File Execution Options Injection
          • Manipulates Digital Signatures
          • Boot or Logon Autostart Execution: Print Processors
          • Impair Defenses: Safe Mode Boot
          • Modifies system executable filetype association
          • Adds Run key to start application
          • Indicator Removal: Clear Persistence
          • Installs/modifies Browser Helper Object
          • Maps connected drives based on registry
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Modifies registry key
          PID:2864

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    5
    T1547

    Active Setup

    1
    T1547.014

    Port Monitors

    1
    T1547.010

    Print Processors

    1
    T1547.012

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Browser Extensions

    1
    T1176

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    4
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Image File Execution Options Injection

    1
    T1546.012

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    5
    T1547

    Active Setup

    1
    T1547.014

    Port Monitors

    1
    T1547.010

    Print Processors

    1
    T1547.012

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    4
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Image File Execution Options Injection

    1
    T1546.012

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Impair Defenses

    2
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Safe Mode Boot

    1
    T1562.009

    Indicator Removal

    1
    T1070

    Clear Persistence

    1
    T1070.009

    Modify Registry

    9
    T1112

    Subvert Trust Controls

    1
    T1553

    SIP and Trust Provider Hijacking

    1
    T1553.003

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    6
    T1012

    System Information Discovery

    6
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\8D8B.tmp\8D8C.bat
      Filesize

      2KB

      MD5

      786dba0c5b6539cf40382e1d6a31941e

      SHA1

      23dd0dfdbb1a2584744979a146346726b9577d9c

      SHA256

      0d539203223fb2a353189c36748edbad1c33ade0158f72c3ca4b14dec0aafcdb

      SHA512

      7ea197c07aeb76b22fcf813d779a708680d98dc68e0117c46d637d88952ef686a87e329fcec21b8d0d43860f3481611bfab104e7390906486882890d57d3e4c3

      Download Submit

    • memory/3604-0-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3604-4-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3604-8-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

      Download