Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 02:17

General

  • Target

    be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe

  • Size

    9.3MB

  • MD5

    8acbaebce4aad71c51039fa86b9a3a31

  • SHA1

    dfeeddd2de68073b97ef5c9adc474c15738c4df7

  • SHA256

    be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6

  • SHA512

    8c12681fcbec8cd9a4b12eaa8273cafd7f44d4074e8f42928a4eec2d1775cc450b1dfe1f85812d4aba95e022efc18800c7cff680be1ab0c4e693e3e6bca27f0a

  • SSDEEP

    6144:SSK/ymZ3ctTWQHf5w5i5iLCK1/KMSVT86JQPDHDdx/Qtqp:3e0TlHf5w5i5iLCK1/RShPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe
    "C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
      "C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1676
    • C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
      "C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    5b2332375cd8464dac503dcde53effa8

    SHA1

    321d9ab6130ea3d263a08a84500085b39a4cbaad

    SHA256

    b16ce95ea55c2d1add6c3055f21db59394e14cd65077564fff82d6efcc87a590

    SHA512

    d30e822dade839b209675985f0f2a80cb5896d41bee54e6cd09fff7cc0aa2cd10b96778e878d9283e17223bcbe4c0e2e1c6dbd334a7af9dc4dc97f6780a5adad

  • C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    2a1bf6e49f52dc89b0ef04144797813d

    SHA1

    8ee38356e90ab4b7ed17775cd78d2288692bd4b4

    SHA256

    30cb9a952965507d7037fe95cf30c4b35772fbf369021ecd2cf4bc23e10175c3

    SHA512

    1284e8d3b885aed5eac9c4a33223350bf928b3dbcae9d03be141a601ebab1824bac6544d30470e94c54a5106a5150e20239a202413b8d2a32d256e13ffd7d532

  • C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    7a1a34ba183575a6e7ccf4166fff4174

    SHA1

    c285613cc2500fa2f1869980a1d8fa9293bbc778

    SHA256

    ab37a518a4b3995403f57aeb70edc73398de66c303292d88caa3878e92753e4d

    SHA512

    cd70be07ee686f7fcc1941499b5f6f0a84210a14b61846d5c4f12a82afdb92456ad7b1107dd29b92917d873e516acca9ec805bf0e1e24638ad5a4a332c00dea9

  • C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    9a8c608f11a3ef7bafd176bb24a33d8c

    SHA1

    6b092fa7d34a40d770ae7eab2e4c355759710853

    SHA256

    f9b3f4439d9b9637b20f7dd883e2e5bcaafdf3f1a96184ebc012e011436cf6e7

    SHA512

    7e146c6b748e9dc81f1fc6152eb56d24e920a361e96f5079214aeb56a05f26138aa0767b12bb6e545f7badede450a86a00580d13130a4df04453b9de74215d09

  • C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    96a8f71a254fbd7afb5d2f2f55fe3892

    SHA1

    b479d0fbdb259c88527d0d2c1aab6714cb19b9d0

    SHA256

    fe15b70982d65aa650c294f14a7e8af41b2266da0eebccd74812bb8efb489372

    SHA512

    ffafd965bd6fcd646137d9edb371648107880ebf27c25d5ea8ffab9cb0cea85449e7b34e0d440440a51fc28ef5c51c1d7711c507b756e2ab7366765eb6304b66

  • C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    66476dec5271649ec1a250303a397dce

    SHA1

    c7653948d3c186de6bd9086c17b65e586ac24537

    SHA256

    077aaa472fe27e094cd77a2a393d127c2b3bf506dc66c385996079928728ed66

    SHA512

    37814be8dee6d32c13b0682fa105dd9152288692488c1989660a876257fcb69cf5a0679aae95ecdee642f63a8d103ec889778e19bf55ae9a0f440861f0d1c947

  • C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe

    Filesize

    11.3MB

    MD5

    4e9173379c1a5f2bd310aed24d0173f7

    SHA1

    728dfe6ee560f6bf9f8f3c080bb37147306e0791

    SHA256

    d8945b7d4640adb92889f2bce214380c2ac4c0bf98c1bc497f68f71104c8ac4c

    SHA512

    49f1c09055dc8a1770d5829293f85c1015e35aeec2a316b895b35a51d8dc7bf1595683ab206c72da19e87507f4f06f714ac36f2a845025f0fea368d1acf06054

  • C:\Users\Admin\AppData\Local\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    bd3fb57702fc72224f6d28f3bc382af7

    SHA1

    d243f474c3ff146975cceaf4c0dcd75b42eba2f2

    SHA256

    37062e3d243495d6bde0cd9a9ef5f7758fe9851e3a8181af907fecdae57d644c

    SHA512

    7ba488d290c90bb566555992561826abcad3b9f5b1201698b0335622dc102689408d85309ba9a3594a4d9f5b2a1f8bf664bb75f6de2b00720befb9e2c7c9a273

  • C:\Users\Admin\AppData\Local\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    9eac7b145307086750cdc0539fbf8729

    SHA1

    cd0b40d6125dbe768b2228c4db9001a6fb253072

    SHA256

    32e15c055b163eab9e1dcad44afd402395987e0961f705404ac17747488f1ddc

    SHA512

    81b11da6827ca41d73bfa838a1d7a7a08c20815c296c140a5ba16f4510086c79aa409b2d92e64fc1c3e01aecd87b3705165e766876fd1aec1232b6213b7ab25a

  • C:\Users\Admin\AppData\Local\jnsotcedejqjzenyuxlpuqveg.gls

    Filesize

    272B

    MD5

    66783162b5237395e47765d43f099f21

    SHA1

    e401cb433e1d5d37f93a0d401e42512d31154850

    SHA256

    4c94ce74130c9e608240f44886660896e9cfa10397b86cfc65b1b0ec6d0cde07

    SHA512

    197d9c985e29ae4e33843fee45adb248d7c2edb12e0ec029b79af3b7d96d3ec12af693d3c40147391abbe9ac3115e62c9cb815dda419b78813e1befdd78e5ea3

  • C:\Users\Admin\AppData\Local\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk

    Filesize

    3KB

    MD5

    963f2af9132c26a21166f4f05af0f3fe

    SHA1

    dcf360ac4d07856151470abede7acd7eb9ceb239

    SHA256

    d4981907b3b03ae2d5b673363d5571ced13d6d6e23fe55d9fe5c34c79bbb2aa6

    SHA512

    f09d9d63cb2c0a62c9c88c39f320aa6d72757d71543e54b647c5b683e5439805904842f23e4e6ac77311b1423f1d9e3428d849bff43d97e97c03d05137e6455d