Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 02:24

General

  • Target

    40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe

  • Size

    24KB

  • MD5

    80551361d59d5eed8bdb86f25721d0a0

  • SHA1

    815c441cb53112961673dd9c1fbd54bda3fec2d4

  • SHA256

    40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8

  • SHA512

    c4d65fe0a63a418ccb1eadb325151f6d7d138080bb95301b4982c283ebcb4ba1088e7447579eee7e8939a5cd4888747713a98de1b5481e88d58dc7e124deb582

  • SSDEEP

    384:jIz4pE5UCpXa9/ElK4asLjnMM3dnKiXBkucF7Cr+RcQc41GM7yFaCDnJ6IUaNXHR:jIUpNppCPzXBkVF7Cr+RcQAEyouJ6Ij

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 12 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3508
        • C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe
          "C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\SysWOW64\rmass.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:5012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL

        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

      • C:\Windows\SysWOW64\ahuy.exe

        Filesize

        24KB

        MD5

        dab3f5982ee7cb3cb8968be3f6410480

        SHA1

        0bf64e0f871677449aadffb2b5cce1c25a358446

        SHA256

        75da74940d9a60fd6641afceb333e79abd26a27718df65389e8a9c4fbe12c5e5

        SHA512

        33755908e64297b6369be25eb2588e8e9b1cf56e256ebbd2b0ef6f41791cfac26b3312dc39fb8998a1ceb1ee82240e104dd06cc442f3aaf34a574896be04b084

      • C:\Windows\SysWOW64\ntdbg.exe

        Filesize

        25KB

        MD5

        0c16f85595938a294031c1073a1184a6

        SHA1

        1946ade461b693a2075851bfbf87e6fa9676f6ec

        SHA256

        11f6f8109a24ea74e68236ab226e9e2f26f2ae4d82f5f7cbf9a5a9d19207afd5

        SHA512

        7de3ccb40e79a3b7433873b30562e29b30c2703920f862e7584b3911496a79f4feee79c181a82559e989f42e1ceaf396fdda5023cc3469c62b4ad69f0287d1d6

      • C:\Windows\SysWOW64\rmass.exe

        Filesize

        22KB

        MD5

        bcc593790f24b746c7c5d31125939353

        SHA1

        fe83202147da98d84ab0691412eb0fac75846b87

        SHA256

        b76d0b2eb575eaa9d330f4405ed7f22704f3057b20aa60a2a09e4e5ef65a6bd4

        SHA512

        191a3e7fb76022940208e174445aec508fa1e4bd03b6a01eebc7ab6b37401458d6dd140663bdc5bcee256a7eca45997c945949c7d4e4357615e2c9382ecc8bcb

      • memory/2208-4-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2208-39-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2216-3-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/5012-44-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB