Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 01:03

General

  • Target

    c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77fN.exe

  • Size

    9.4MB

  • MD5

    c783a3b20315ef5554b629946af2e450

  • SHA1

    d48a797b6186b0bda4bf4ba4b4981b8ebea17e07

  • SHA256

    c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77f

  • SHA512

    332d04fa682e7b12d3d2df697fa9e2209ff0dffa99535d2860c87cb38d4c6598a16ab75bdba31fbc07b8b2b160145bbc2fb75327264c25b6074e66bcc301fbb0

  • SSDEEP

    6144:tSK/ymZ3ctTWQHf5ctj8jRi2WGKMSVT86JQPDHDdx/Qtqp:ue0TlHf55RShPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 23 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77fN.exe
    "C:\Users\Admin\AppData\Local\Temp\c49a6d6259d7090608badcb4853eefb1be958577dc417ec124fa313c71f8c77fN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\vgnqbcl.exe
      "C:\Users\Admin\AppData\Local\Temp\vgnqbcl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1604
    • C:\Users\Admin\AppData\Local\Temp\vgnqbcl.exe
      "C:\Users\Admin\AppData\Local\Temp\vgnqbcl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:3500
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      e4d5df84363f10fe1887282ea658f2d2

      SHA1

      d9d45dab9f7b1212c2ef5310a2de93302e3f06ab

      SHA256

      7c7ba3195df813fcb65ea69fe1eb1a71e6c791cee6efd651feb5f714dd450725

      SHA512

      d75aa6b741a34c554e0610613d09ed157a5b74df7d17e241a51136135ae790b8df19c30407b45288aebda91d8394093ae055ac241060b9c2685d05e4bc34a362

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      da6eb16282df61aeb6d9471663d7bf19

      SHA1

      358e11d883a3d425402df9408b8a51e86c43e34d

      SHA256

      e059c8c2cc5324e692786237708038a3e836e56e8cb04c3f23ae5556b4e27200

      SHA512

      912cd741a7add78cd4d308d61fb52c152a1b44de92612278e3ecd038eda5dcfd73042b84861ed15b441ba23e5e4ace9b54db597e10fc9eb82a5f3b5f0a383d81

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      3614f4fd8f8ae81a679a3a92f159f61a

      SHA1

      89d18ea94888111ea55be19ca3213e5d85eb76ec

      SHA256

      ad2fe6fee8d470142ffe53acca85faefa5e89899a143192fcbf91ac3229e36e4

      SHA512

      27db87ea15457d9a17297742e02fac99a10cb858a22b11caf50ba30e830b56179341596df06dd62a660fa2aad0cec10b7e44765b4b65a69a76a068d7687d8717

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      e85559fa97cbb6eea28a9d4a6e67b6c4

      SHA1

      dd408916e09e72f80fa6af6b1e79ccf76b4fe6c2

      SHA256

      9a4617a12ee6c95b261bbbf444e07b49d5911621fa3d3029b52c83e1b08aa19e

      SHA512

      3dcaa027a2a0d43884d6e340a1c194f75a4cfc79be6b52ac615b2f2f4914da4a09fe047faf01e140605be24cdff1b6eb8e6a6d760486e8ce09231732d1adc333

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      35dd0a7e937db0d9cbbe9de9c27314b7

      SHA1

      0c44703beb5ab6224e95debe0dc518a390712405

      SHA256

      71cd47e5d658624c00eb211f48731d134de1107b72472e32e0fb2de819e5d8c7

      SHA512

      e44c7974dbbbe52f54b6ad65002032d506dca0cbf81c2667b745150c8af502342ffdbbe685bb4a0ede52e3e7c4134eb31656e1f2bdd08ae04b986afea5763b02

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      2a7fac9a7b049d3d99dd98e7736bc8e8

      SHA1

      27b8d1705fb5128d07a4405d27761deede505bf1

      SHA256

      19acfe81863de4327c3d910647c48f9caabc8be636567738e755689b26e1cbb5

      SHA512

      1862a425b1fd52ca51bf91cdc46a62cb49749ec10a9c06ec54e44ccce22a9ad1483bf23ca768df77605d9a7ac96421f58ddba8540e25534f6564413f786faf8b

    • C:\Program Files (x86)\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      9a492cdd49a6c6d07a5fcdcac2f78bf9

      SHA1

      9df2b8624044d73b9c8fed80df8df53eaa2b3704

      SHA256

      d3bc60af5378c05efd9b2a31ef6a42758bb40a9d23e4da47356fac8429858aab

      SHA512

      e332bd2b782a1f12716301ffe8cb505f91e8de6359112a5cdff2d1270b224c003422134dc9153c50557b3f5d6fb2f4639e178253f636f3316820b6856d6bd4e0

    • C:\Users\Admin\AppData\Local\Temp\vgnqbcl.exe

      Filesize

      11.5MB

      MD5

      386d3d81c643fad2c7c9d8bc3d640869

      SHA1

      68eb7717394fd0f7e7fd00abb729c9b9fdf6d6de

      SHA256

      2183d45504d667aed0461ea2b29a1bc2520ca08f727343d54260b50be0c6c5a4

      SHA512

      0e16bf91aadebd41d76d2b0af66207ecacd66ac173589b1a9688f9c4c125f6e0457e5381ef06ee8d74b9a26f3f3833c67a91a351f4c45705a28bd04cc81c0dbc

    • C:\Users\Admin\AppData\Local\uoeqkumbskftlebbejwqgsmwodumhvngddglys.uoy

      Filesize

      3KB

      MD5

      214b298e4140daa50884ec898bd07042

      SHA1

      303119da26fdad7c15a696ef94e1d469069a30a4

      SHA256

      0ce086524f7fe6f4b34f4f5ce5bbb51a6cdcc89cc006ee7983c27630358fda31

      SHA512

      aed8729aeb5233ab435b01cfa1bc1a919d913e8830483b105b050592c518798f4e8f2d03285f15ce5ce9ace49a7dc61b01cb5115692c20a166aaab174b20ed94

    • C:\Users\Admin\AppData\Local\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      139608fd2050d639dfb895211611c742

      SHA1

      99a03bb015676d175c4a74e329a7a3679f2e6f4b

      SHA256

      0b40c063f9abb223fc4323b26366961f58d4a79e53dac500eb5fc62b6b21c1ea

      SHA512

      4f83fa0e30e2dfbbc6f2cda104792204beda4895fd12d6c8ccfaa047353177f8807948b9b86432a8b7241ee200cd7968e75e132464b4a736138f2f5a675de5d5

    • C:\Users\Admin\AppData\Local\xglmvubflscfmugvnhjsxyhgnrx.ory

      Filesize

      272B

      MD5

      e1451aa52509ebe777c3f04333026d47

      SHA1

      9fceb6fd378bab8ca569657fae5752902096daee

      SHA256

      50c04c6a80d7218c4537c6f1f7cb9ab6adf5fdc1d3aad770b3b02cf90b5916b4

      SHA512

      a33ce7451d07880aab032e891c24d0b85b1ea7aea378a160082d3c29dc254e9753139b122fe91cec972d7263168386dd3f8699f9178f219074431032d3051ebf