Overview

overview

10

Static

static

3

93c55deeee...b7.exe

windows7-x64

10

93c55deeee...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe

  • Size

    704KB

  • MD5

    906593a62b364af3cbebf6d28d595531

  • SHA1

    97f124e6394796b8020e5162b04cafcc6ebdf11a

  • SHA256

    93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7

  • SHA512

    cb419c171cdeb5f034e35f7337dee26718b47c6cc55b167e4da79210f34cfa28e843b5a65a5260d9ce96a5a1688d8fdf2d57f4c44d56a8d667ea46ba9b451bd2

  • SSDEEP

    12288:mXgvmzFHi0mo5aH0qMzd5807FIjPJQPDHvd:mXgvOHi0mGaH0qSdPFIl4V

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe
    "C:\Users\Admin\AppData\Local\Temp\93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\behmv.exe
      "C:\Users\Admin\AppData\Local\Temp\behmv.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\behmv.exe
      "C:\Users\Admin\AppData\Local\Temp\behmv.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    e7ec6fa5d4daf6b71b8cf8db80f5cb83

    SHA1

    585dffa4432cfff6f48867767e4a77b519db3532

    SHA256

    7364ce06652a7f333406010c4866e7acfb896c7e058170c2345716fae5b24137

    SHA512

    b3307ef0cbfadedde0da4656ec88a21a5485f5a33c4d0da436d09067d7b24c033ef63c7147de674938fbdc59fa10b454548dfc0e68c401ac3f1ec39df135e2b1

    Download Submit

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    098b9e4ddb9a5b4149ceec76c8d6a5c3

    SHA1

    61764459fa17ab3182316adc89fbaf1c28600b7b

    SHA256

    eec0e72b64e66f2656de8297b2e0098e3d0a14793d1f55312435b01260829502

    SHA512

    c4328080a53bdce1ef26420fee26f996c6651f7a07b42634c5d991f1f9847a68fe83283936b243f0fa16f42477812ace3ac651e63265e6b709c9cfe9dd6edde8

    Download Submit

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    c152d40a4254f8963607255be80dba2a

    SHA1

    68e95064b76d4f9bac1848cf89903ff9b86c997c

    SHA256

    1033a780ad5c808e1b00d563d0faa499b22b56413f546df33d2a80d707b6f2ec

    SHA512

    3a840361f525949da4f4662adf91e55e06a1203a6de82b8b53b2eada18314206a6824194597111cfa3d23232e6a2ac18b3cb28c95136afb295bca4ec197f1560

    Download Submit

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    0cbaa8d6a67c107e840d04173c8abd77

    SHA1

    706b1073b1bc792bce6a5af0710af2837645d32d

    SHA256

    a3b813c5f492ad6b62f2297e110b7d1383a66bdaf5aeaa4643916a99fb54e730

    SHA512

    e8cfba2355878386cedf1713db311c85147f6df8a37b38a694f6d69a2b96dde066b2504198a1f25cdd397de2d644b9cfa2147ba361dd30204cb049da7f465e45

    Download Submit

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    10eaec5254c943644fb63a0343f1d52e

    SHA1

    2f3ed94204648c57f718b9e4825f1f2f221ca7e5

    SHA256

    27644ff81f3776ded59a29b327081ebc21af18447aa3677032f5777c4bd8ab89

    SHA512

    b8ed4dc5886e3f0e49619ffdc88c532efce229054bebf27119ae0725a9db21beeb292059c4aeca465c4f382086cde41edf986b0b3ccc8068140282249ee51ad2

    Download Submit

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    54501f6f0f3703b573f041d0e29298bd

    SHA1

    cfd7e2a58d17caf231aca1942d81ee5eb38058a5

    SHA256

    cf6b44daa42b5161d2722e5caf225691b7349c30412ec9054e1a0a9af3c81ffe

    SHA512

    253d832e30cab2ac84c181702a092ae521f496b6ccd358ab67335afbfb08d243e48de5805d9e3cf0592fb05d1e71cbff363714b025a66286fdb10b9d6a55808f

    Download Submit

  • C:\Program Files (x86)\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    b3266570de108058b91f97bf3ccdfc41

    SHA1

    8f79b6f66fb34599bba67080593aab1cf44d07c0

    SHA256

    c88dc4e44d1967effc8c2a738326f5e62480c1732f3fb702afb53920e9c65919

    SHA512

    dbefdcdce6bf3e2a4717f99bd29ff88dab30b64471cfc2b5e62fbdc5e25150583cd32cd59be9291c0af0ee86bd884f4e594b853c445dff9c8d86a62ce14611d3

    Download Submit

  • C:\Users\Admin\AppData\Local\daxwzsrzpqclvpjznulif.haz
    Filesize

    280B

    MD5

    3dc34aab928bc9fc57b014e9d855f74c

    SHA1

    9743f877a54a6d2396e6cdbf8e95acb6582a5733

    SHA256

    fa2562a1f855fb36c72b6991f6fc3fac754c26a698db08fb0f30068f363905a4

    SHA512

    816c06aa7064972e54e10b79dfe41338834aa49886145031d1835d4a4766cdc5c6a3ea64929495bece9c3fdfe45c7317076be4627723e3d41882d046fb100e8c

    Download Submit

  • C:\Users\Admin\AppData\Local\ygoymqatugdxsxcdcuwemwkoyrsebvqv.bas
    Filesize

    4KB

    MD5

    ef43a2cde914fd8c6494ce3ef2da27be

    SHA1

    d294e3ee18060bb5aa2c8590131c91e5a81c8fe0

    SHA256

    b4640375716dc06e4f4bbc129bf32d6a944c892cb84334a555da5b69947106c0

    SHA512

    865a92400dff6e9ea336fa074d4646591ca96373ef8af711636298fbc01cf111ebb7d9d6cf61b7bc755604c502a5eaf35d325dfaf370bc8f68f49a7e1114d031

    Download Submit

  • \Users\Admin\AppData\Local\Temp\behmv.exe
    Filesize

    1.3MB

    MD5

    06b9342900050e273413d7f91a1f1310

    SHA1

    62149296967f5b5205d9b3aada7a1313664d4d30

    SHA256

    72faf095d3b8390ca1088bda0e257303d3ffec5dbcf09a3715eb659e9078d5dc

    SHA512

    3173e5fc9575ea6185598190a401980a105d8b117793bcd87c73c9719b07c96fd8f46eed2605eea4b88afa79277f1c64d76c7ee301737b0be2dcf9e563c204ce

    Download Submit