Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 04:57

General

  • Target

    962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe

  • Size

    692KB

  • MD5

    9f204136a8f8ecb9d4bd46eb5a531db0

  • SHA1

    26b06fe7d8b65065090fc529fc80795a32a59a15

  • SHA256

    962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437

  • SHA512

    3159250cda528bed0f7ce897116c8726bedff840d4ce321459245ac049a5bb0ac1703070048096a2d087af8c0018639785817331ee8989544301353ac11bd9a6

  • SSDEEP

    12288:rXgvmzFHi0mo5aH0qMzd5807FJTPJQPDHvd:rXgvOHi0mGaH0qSdPFJ14V

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 27 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe
    "C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\ahgor.exe
      "C:\Users\Admin\AppData\Local\Temp\ahgor.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3012
    • C:\Users\Admin\AppData\Local\Temp\ahgor.exe
      "C:\Users\Admin\AppData\Local\Temp\ahgor.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:2148

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          a101f59dc8df558387c5812573242d08

          SHA1

          d96a2704a3a56455c21653bbaf21c2ee7368c223

          SHA256

          de9e271f181bc479f973f02b08ff7090a04dc77ecbb49e09df881c16ea04d116

          SHA512

          331c3c8f773f273588854a797572c9aa8e086147b9053b5b0496827128426ffaa59f5c6216e3c2c97df66f6b8dbd132c278e46832c7c8edde478b5ffbedf399e

        • C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          c8ad36c2a9c426876ccbf3bf25ed0a5e

          SHA1

          23d1e834926a6f61863c02eea508a477be77886a

          SHA256

          0646865d81b1745e3d87b68ad15d27271eb79049951f71611251943c1e4a2e50

          SHA512

          cdcdf42b0acfcd21a61ff45d47f85f30d96bfaa341013bd18a19fbac671949ece0fe0a01564ad756f34701938e91a6a0889a917917306589372c19b0d696b887

        • C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          c6b72a6b2d241bff801c01e30441e334

          SHA1

          50e1dc96bec63c1436372d61ae5cd11cf4c389fc

          SHA256

          1f66e861beb6fae228069b4dffe2cf87d85092eb49643abfa06b4e1f5d9037ee

          SHA512

          07199ee879d9ea128766ea3f99e0638522fa0e371ec3214cd0c13a6e0c10fb1293146df2129f020895e29739821886cfc140db72972863657df14e53ecca58c4

        • C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          523e0655896f97b87cd6dbbf5a1f473c

          SHA1

          3f21d23a353d5ce60589b6ebedbf0615f0808c90

          SHA256

          7ea10530e0ed6b048302e7e7676d3d7a068447a8de921f96f0e290d8146db60b

          SHA512

          3ed6a16f7208f07bf0b6f01be4a5b3f080dac6ca92b342986577819e38567996f28fd46da21a6cf4160ba0f1f8e84cb3b0da402fc8213b721c1ee8e445b11f03

        • C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          d0c936f8694a9a4fb587f768d45d00b2

          SHA1

          9567724eec5541a5153493b8e5baea1e845227fc

          SHA256

          836e0ecf4ec98bae24aa0adf4921a57e398dba9fe79cf135f50d478af8380f44

          SHA512

          751147eba668e836735adaad0c2f8c8795d0f466c5e1c19dd1f4d278482f2e7ff73ce0ad7818a9461412458d4fcd63036f53c5ee5cee844d1ffcda40021f80a3

        • C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          a127b6bb98ca5882f12d63ebca907925

          SHA1

          443fec890c0216c27a7f2cadd3570aba5cdf9c4b

          SHA256

          a78d8e706c1fddb96b611cc7ccd29542e73c767373c96af452573d5765a70274

          SHA512

          22001df82bba6a42fcb45051ea883fbe53ff5a6bf71790497ad518201930e2eff8898f44309993c59a80f692f975022ef1fbb8a130d9797b18b8e8dbcbc525ee

        • C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

          Filesize

          280B

          MD5

          54e18c8d056da40ce706109669410d91

          SHA1

          1df4712c17aa4305262440df11d05d3e0b5d9597

          SHA256

          99bb0c81a7b68282d51fc134a7c3e092891793ec7dc90f9a3274e495c8d21899

          SHA512

          16a98ca9033858e04a8c665d285c39618e67d37d511638a47947a649cee838d27ed787c98e632442637668d999f4d881901348281e40bafa425cc3085efec94c

        • C:\Users\Admin\AppData\Local\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq

          Filesize

          4KB

          MD5

          4f57095f27adcc023d3401c023fedae3

          SHA1

          02f460a263f9298b0e6a7ec04e8a72a91292857f

          SHA256

          60fda659ac265a9fa8743fe4aa9fce3edfee70e84f91c33e4228a1bb5157471f

          SHA512

          6cefe0e8236b19f6d3c87be223bb0186e4d0d3d10a8938f4c97b9ee88cdde57fe4b744014d0ac05ebb16e7775a6ec71eea988669f849829bde39c7bb8268a836

        • \Users\Admin\AppData\Local\Temp\ahgor.exe

          Filesize

          1.2MB

          MD5

          6f451a41c9f96a5c513b4954680286f9

          SHA1

          06456a5c776552246efaea2153cd408aa9320c0b

          SHA256

          a32541929feeba2e8f57866fde0354d9354b20638f2a128189b55d351db60614

          SHA512

          82a11fa921cc237d825ba7035bc8fa1e9c3325a26a0ad8aa10fccc163496da0c2e4e63b4ae90f1ffa49ba93ebd33a69d27d7b8f74d8382f264ed8bb53cfdfb32