Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 04:57

General

  • Target

    962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe

  • Size

    692KB

  • MD5

    9f204136a8f8ecb9d4bd46eb5a531db0

  • SHA1

    26b06fe7d8b65065090fc529fc80795a32a59a15

  • SHA256

    962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437

  • SHA512

    3159250cda528bed0f7ce897116c8726bedff840d4ce321459245ac049a5bb0ac1703070048096a2d087af8c0018639785817331ee8989544301353ac11bd9a6

  • SSDEEP

    12288:rXgvmzFHi0mo5aH0qMzd5807FJTPJQPDHvd:rXgvOHi0mGaH0qSdPFJ14V

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 25 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe
    "C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe
      "C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3996
    • C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe
      "C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:1408
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1960

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            7e835d81dbb79b602ba8fe3b43471997

            SHA1

            8e9f529a62a1cf04283aacca0ec1384e1300c290

            SHA256

            39a104e8b02c7eb35c15e6443138dae09b210ab43c49274f452d08e03d3df2d3

            SHA512

            181e41124e53852e6842994fd6f63e1edee8220592beb01aefbbfc93a5147d99bd4a0ab2a8e15ae8ba50b7435b2c971580d70b43bd4c5a5e0be86b26fff317bd

          • C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            b728f74676dfc87628f6f9599010dac2

            SHA1

            4e296ba99521ce2776cc9924374056a22a866667

            SHA256

            939298081be30fcb9aac7ccbf306dbe884fd3652475e511b12d36eb538eed11a

            SHA512

            b3f5b078b3ab2be404edd8302fd5b2a560f0593cfafb60099123a399759f22f68aaefb59d9befb70c3ce0808accb7ec3e60e352b73b0b9ebf77dcbe757d5e4ab

          • C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            8918ce30c8bf8f6255e5410daa42c135

            SHA1

            da3e1f86abd31a71c3e6f9cb5ad12749c7922190

            SHA256

            ff6d1a6645fa3e3b25aee3299ee81766cd053b42fa1e67a450cd17cbb2b21b1c

            SHA512

            8cb4257bf4c7a76b0392cb37380200f4ccfd6b3db8fd840534bf8b33d887d3be8eee451cac8a9efbda28556ed7e194ae1a78c908babefbc2e211b8d458c7b3f1

          • C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            df5aa2624534cd11411c127bbe7eeb84

            SHA1

            88e049c829f58ebf5ca9639f23b4634a24be7952

            SHA256

            2578a5bf688dc8ee78eebc26ae73138a524295040999b3f1501034d6598becc7

            SHA512

            bf82ee46c03a35fed0d752188ae780945ee02d139b03a0833e306b382bf311ccb24a8301e31cafc63823120771d779e484bbbaf34afa32934b18082b17d1a560

          • C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            cef31abac405a5242d482de0585fd3e8

            SHA1

            989751aed20af6ddd93a7c75e2e1ddb6dee87c66

            SHA256

            186d3aff0d3fee32679cf6641d42c1f6ea61065592d1bfa1c52081093aa7ec53

            SHA512

            4e9856cb46d777d93c55b849e5e6caa31dd4f409d896e5dc39ec16028b2a00447a460d24b557c0fc5a5e79a00138c67d310181ddfc08b880059e0426b4decc3e

          • C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            def9682b0acdaf1006737dec10c6b131

            SHA1

            d59b43fa1e42cb64ba26b7b2e86228c3f1f2db14

            SHA256

            1031071db80371e628841bbd8e137748bced0dd752067af6915a1bd57934bf3d

            SHA512

            a62d5af33e48a5cf99df7893abddc7e90857bac3013325125a44c4202cd3ac207e52aa3ec5e5b642b4b79eca2a6a236e397b05d59afe40a8a0f5ca113d159c36

          • C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe

            Filesize

            1.2MB

            MD5

            92fed7521129bd635097c0790c2dee8a

            SHA1

            8548b39b7f34783d260cab61401413992cd0ae95

            SHA256

            721eac4c690533ed896b3ec2c6251b59f07b10d10c8648d1681fcc94384b7a1a

            SHA512

            64ff8ea5f00e24261214092dc3817cc6df5e1ea7dc2d75f785b5b19c280b6f26fd4f7643ce164514d5b3b505839f43f03a0e259049a0b43e0a619949af45ccca

          • C:\Users\Admin\AppData\Local\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb

            Filesize

            4KB

            MD5

            229dd9c5581596dc76c4c61ffe7e6f44

            SHA1

            0eb307d98d0a83665709c3621eb92ae7de99220a

            SHA256

            b51c192bac5849ddeec85f0bc9f65a692ba4332b5911cfcabaa8a1dc38ab4d04

            SHA512

            38b4ce99a7b6f2661dd94e490a0e932d0862667d089a2adfe43abccc7c34af77affa71038afbb62bfd8e6acd63de3377a34483ae996159c8a302e10090dbcb3a

          • C:\Users\Admin\AppData\Local\fdvxczvuuqooptcyjdnld.khd

            Filesize

            280B

            MD5

            ab8654b07f180f4dab536cee4622f81b

            SHA1

            a93691167a1a8b0c601e798b8210193e5dac96ba

            SHA256

            eda4080fa975f15201efba273bd58b690736dfb03aa0318a7862ff4b596fa902

            SHA512

            2cc4cafba25e1dc44370417229daf861d4a9ab92204e326abc1bc999bc968e65609d264348b3949ceb2aa265d91d30603563956ae30fdfabefb11a816d47c3f6