Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2024, 13:32

General

  • Target

    5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe

  • Size

    608KB

  • MD5

    db1b7ac55a245032f066060d23d00630

  • SHA1

    8b968e1eee41e0f4b2f030e672a609e65a7f7618

  • SHA256

    5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd

  • SHA512

    b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb

  • SSDEEP

    12288:SpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsj:SpUNr6YkVRFkgbeqeo68FhqG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 25 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 25 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe
    "C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe
      "C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe" "c:\users\admin\appdata\local\temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdn.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3244
      • C:\Users\Admin\AppData\Local\Temp\ahoower.exe
        "C:\Users\Admin\AppData\Local\Temp\ahoower.exe" "-C:\Users\Admin\AppData\Local\Temp\zpfofwsjryrjptaz.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2472
      • C:\Users\Admin\AppData\Local\Temp\ahoower.exe
        "C:\Users\Admin\AppData\Local\Temp\ahoower.exe" "-C:\Users\Admin\AppData\Local\Temp\zpfofwsjryrjptaz.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2608

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          3cba3380817da951da12aecd276f77b3

          SHA1

          8ec199379859c54d17252ebebac5aca9303fde6e

          SHA256

          70c714ce334caaa9053d7bbc3e431350cdc3e82df4b95f5146a63a38a544b161

          SHA512

          2f808b6676a94eafbd1234d29cac7d782a83360c0c376b35a9f63c9a72ec86a02ae56aa09e6a4b7a4f312512642d90d1838f4a776085eab13be9507b391d8f2c

        • C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          488ec01580ce2d04312e3e1c8923e951

          SHA1

          ee90f5ed0d639439a1b4901439695689b00b609e

          SHA256

          28402f02c4795cd927e0292294f92f1c9c0789b221f79dfff3be2268a0476b73

          SHA512

          8e2af5b21b13f04a6cd762d6f76100440c880fb3b0719b701a0950e884a32559975810d7829b75b1732d407c28b46d889ecabe2e3a8a0fb08df16230f732f0ee

        • C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          468415442f1e0ff134a4a981033a254b

          SHA1

          e67d788aad54099a0677edb42a698562573f7f74

          SHA256

          e3de0755a8318921d4677d3b862e931052409f1437f5fbdfa7f31f60ed8d9663

          SHA512

          c3f5c45edbb22891cefd1403de6afe070bc7129aef665a6447474cdba557377af034ee0527b0acc708c76a97b80b430df4c2b54604227a4906556cf77128528a

        • C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          6defd78024d6fe2fde4e21d318c3f7c2

          SHA1

          6add3a9b93e00e355b1c14269cf04492adb194f6

          SHA256

          8252314c2e0519fa4c200e102ff3671ea38b861b36c90c9e60eba5631a1780ee

          SHA512

          cb6f86dc8e82b83097fcbc1d4183b5d22c02e7a8bac627b1e16c84a866ee91e3c07c2436e07e4439f527b8081e3257d157d428d104b19d57fdf54e5cfe637b67

        • C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          d2d5cffbf2f6e07ba43e017f6612a26f

          SHA1

          66e8e6976db61e6272f2613f43636445a5c21372

          SHA256

          3c2b21fb060b7d6b176a693fe7632781860fa7a94ba89fa2c67987c24532a03a

          SHA512

          384586c264b2b113d819f85ba4548d745dbe5aa822691c8931901fbe1bd069c7f107238d224852521aa0394a1c7c3a4c1a50b36c3088c9f9829a76bf8fd9007e

        • C:\Users\Admin\AppData\Local\Temp\ahoower.exe

          Filesize

          696KB

          MD5

          5148bce28fd1bc7f6b23e61d45efbef2

          SHA1

          523a00e12c40d52bff59f041cff96d202c6f0a47

          SHA256

          1b1b4f59201354f38807cb1b1a4356818d15039c575e6de3b67c4b2e45946e6c

          SHA512

          ab88175cbc36cd9eac46ce418e328bdab3c1124e416e678547d5621256945d015195cee0f0a0b10f4c42d1afb1215635001d0a498b31475162dd80bcc269b05f

        • C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe

          Filesize

          320KB

          MD5

          e97bdffa3003bce29426e78ff0a9b89e

          SHA1

          4680bca864946d45d9c1ef9d195011bba8704380

          SHA256

          856b0722fb88c9f9d25149acd22c499146077225b0177be47e7137810b39b6e1

          SHA512

          6895ca6df7292f0b66d48f125570d7192ebc152a65749851c3fc68ddb0bf95a4ae025f43af7dd65d177856132c70cd70c846920a649a6055579acbfb1fa3c320

        • C:\Users\Admin\AppData\Local\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          07a51e18b6a73fbaa71fc2f540875e1b

          SHA1

          0297a65ea93d774209e0751eecdd15a594442ce6

          SHA256

          1474afd9f1b50b2ba266efcf92442fcbb4124de88c4e4d0851cf31e518b627ce

          SHA512

          bf304565b0bf3211a134f8a59818eb7a90153cb7a2dcaaf1ff2bb0fa2d770b77cd0d3a3caeb590ecbb4a5e18efb92d75518c2d325629f1ab2f3af1756eb722c1

        • C:\Users\Admin\AppData\Local\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu

          Filesize

          4KB

          MD5

          406ce504fdfa8eadaecb54f2506e2b32

          SHA1

          113eacdee034471b67360bdb096718c33f10642d

          SHA256

          7856ae62ab9bcbab8cc3b0192e6ce22e70d16b6baae24fc6ffa3e58b5b3b46fd

          SHA512

          ec227775f25df57a8e44107c51d2a7979b958de833d4cd74590e04931635d8920ef97dcdb55bc64ab785db566d543276a35f9176f2888acf0fd37bbf1f20e4ee

        • C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo

          Filesize

          280B

          MD5

          aabdb47094f2024cb1ea2d4c301cdbf1

          SHA1

          41cb7277daaa26d85aafc4f96595b266028487c6

          SHA256

          540e2943357b8fab9d928a821784774a54c28212a6c636dcf868dc77685d9c5d

          SHA512

          476cbba0759c3cd10aa5e5020fcc2df09313671874939ba29871fa4f9d42c5d4b99e8f1b447a2cfd58c175f42151a41240668be4d677d8b0053d4728fc28e095

        • C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe

          Filesize

          608KB

          MD5

          db1b7ac55a245032f066060d23d00630

          SHA1

          8b968e1eee41e0f4b2f030e672a609e65a7f7618

          SHA256

          5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd

          SHA512

          b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb

        • C:\zjtwhsitvw.bat

          Filesize

          648KB

          MD5

          718ee4e1ab9b11ab9741db91eaf0f945

          SHA1

          ce8bd9ee7d7f8531f5b54d5353b6e5e8a7618638

          SHA256

          dd92fcc55737c783d17ead98c56d1f40ad16acba3fac147f5ba0ed12a2613140

          SHA512

          dd78cedc694fa1fda5a6a998ca0c96bdbdfb0466ed95034a5706178850f39191705b925bd74733cacf2819697aeb3299e0b86896147c6d838f599b20fb0ef89b