Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2024, 13:32

General

  • Target

    5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe

  • Size

    608KB

  • MD5

    db1b7ac55a245032f066060d23d00630

  • SHA1

    8b968e1eee41e0f4b2f030e672a609e65a7f7618

  • SHA256

    5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd

  • SHA512

    b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb

  • SSDEEP

    12288:SpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsj:SpUNr6YkVRFkgbeqeo68FhqG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 22 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 25 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe
    "C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
      "C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdn.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2560
      • C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
        "C:\Users\Admin\AppData\Local\Temp\thpubcq.exe" "-C:\Users\Admin\AppData\Local\Temp\spgukurgwntwokir.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2804
      • C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
        "C:\Users\Admin\AppData\Local\Temp\thpubcq.exe" "-C:\Users\Admin\AppData\Local\Temp\spgukurgwntwokir.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2668

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          c6420d61fe64abd61e4a8f13b0d052bc

          SHA1

          257e479143d15d6d940d5c9d35ec7b3c3814e6b1

          SHA256

          227b7cffd5cfaa69f97e19785fbf8a673c137557f671b90e4cfc08ce5af2a66e

          SHA512

          df6627885f8c879e86526b53c06b0efb80616eb642150fb599345c2bb54cc7d6faac3a86fd84ca8f23164e218df6c417c261090517e25f2bc4e0958016247246

        • C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          93cedafa8f0bb470a692579d446e8b47

          SHA1

          d01c617c3d0e629d4b61e461ea5408b9c1a0855f

          SHA256

          18e1f9b469e13f48a243b2af1075f0111ada53ed15e37f278c97a752d673db34

          SHA512

          b65b54ad95e3f4e41faa6eaa6e987867d79da930c9d6adb816004c5621f5ad671665f984917cd4730cc5232f83ea4805c98ab1c056518068e7db5e43eb80c1f2

        • C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          346541167fb41914febebb2464a0d2af

          SHA1

          dfb0973b8adabc9baf0bdb426930e5f8dff514d5

          SHA256

          fc07ab9ad913d1d7ac148821c04514ff3ce8719ae2c8189b6579aeb6e6520614

          SHA512

          345e148c3ac34df401ed1bcdd7b7d450c43c2441179ed2abb0c73007afc7e7cfe3d28ef933a628cd1f0459471140d90f6f80c929c7c7f441d37692783feeb322

        • C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          4ea868960da9e2f4c795d06e153fc2d1

          SHA1

          1b3bc2a7f7e08b0aee8b8ad7ea911d7706a3be3f

          SHA256

          4d021d4de66891e9989fc5c7770986a2b1dbbacb88f0a1479c32c4217bffce54

          SHA512

          78495269dc307e83a2fd50298eca87fc19f468260513b532125b6612d387c2802aff416019c1261d27e3940520ac9c87cbd90f991a5bcda585acc67f1f16a075

        • C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          7896693213d91302f895264499867ddf

          SHA1

          1982ac7352dbfdd42e783c22ca079b8d514b1572

          SHA256

          2204e4c408cd695f387bc7f2eab66a81726618de09ffcec4ce6488051b4810d7

          SHA512

          d2edb27a6456ec0e363cf88181e78fc70477e10f4b3cc9ca000c314589133372b770cb4580e6bc7d8ddcd2d25eaebf3de5471c5beb2363f7c05799adcd2ced34

        • C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          ed894282104c791eac32343835400ae9

          SHA1

          3c487f1c3ecd881f99510f84369283995f2319b4

          SHA256

          29653692d357aa785867b769388c6e40ba40c6a73174717e869b8a88f6d4c97e

          SHA512

          a37e04330da70ef1b10e411beb2c7751f8ad82a7dd900a59ee1ee81ca622debb6821ad9be41d206659e6c354e92ad19d45bb644ff24497c37fe38b6a7afd0577

        • C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

          Filesize

          280B

          MD5

          9c251e3e313af755f34ccdd53d8bffd3

          SHA1

          16a6b98c30b40ec6b98827d1e7516ccfe2e522cb

          SHA256

          1c8384983c652b0b303fff4e1bd7275da50b47e7d30c7697087cd8487e5b3437

          SHA512

          05b7736d0e7e5709315b7ecba8237bc19ffdadbabca034952bd8b3030d5bf6ed90330160965dff5728d9b99f90123e12738afd25751dd3766397563455a7dc8b

        • C:\Users\Admin\AppData\Local\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock

          Filesize

          4KB

          MD5

          fcfb5944bbe2ecc528ef9a8924f1dc0e

          SHA1

          dc86298fe0d0c5efc8643d75e51f299cea5fed29

          SHA256

          edc55c869cae4e13b8a61d72333363d5bcf06c47923d0025d57cdf300795855e

          SHA512

          cb529fd60511e8156d56c9c0e704b64c0fad54a440ae73e19e141917cb782332c245fd693d366e8c1f9c2fbaa857ddb7265bd97860041d588710615809a44027

        • C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe

          Filesize

          608KB

          MD5

          db1b7ac55a245032f066060d23d00630

          SHA1

          8b968e1eee41e0f4b2f030e672a609e65a7f7618

          SHA256

          5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd

          SHA512

          b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb

        • \Users\Admin\AppData\Local\Temp\thpubcq.exe

          Filesize

          716KB

          MD5

          26fac8b713cb236a1a9620a824d442ae

          SHA1

          f14f98c56a1d42858ee73dbe76565492e62774cc

          SHA256

          b623cbf2311c91633dfdd154cdeca5ac4109e1e4277d1e922e2d1e57dbf9a9b9

          SHA512

          6ec38d247aac71a823f7c273b8d6c1e88037b6cc29ff9fe0991b723c8131516fb828d22f473d1e20468b66a696cadc0a915d0fecd75d738f6ccd6b184f859e34

        • \Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe

          Filesize

          320KB

          MD5

          bd53a3b959a07e7bd8e5e298fce15ef0

          SHA1

          449903a926b84be86fec08d7abad20cb2a60b2b7

          SHA256

          a1377b5569d1be59695bf735e529200499c5e5a84882412a7324b1b953663acc

          SHA512

          17c779d1e83e72fab21cd198e10fe0413fb9f7a2eb933df16fc84a23809eb2bd563e234aec854d21727e36f73cfd7d3b47a57fe8cddf9fce08e322acf5f21903