Overview

overview

10

Static

static

3

8ab5333e54...53.exe

windows7-x64

10

8ab5333e54...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe

  • Size

    1.3MB

  • MD5

    9da793b606f0e48141a94caa8eae97f9

  • SHA1

    f459ba585097b971445e92dae8077c4c60e1d7c7

  • SHA256

    8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153

  • SHA512

    8d74a7fa050414e4d93f393a7253cfa23fd62de1fe424e574f6a96bc4be3a79664d3ff1473fe4807936b0105b24b836b98f39ce6c205088e815f1ec57032cba9

  • SSDEEP

    12288:iVgvmzFHi0mo5aH0qMzd5807FAPJQPDHvd:iVgvOHi0mGaH0qSdPFS4V

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
    "C:\Users\Admin\AppData\Local\Temp\8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\adlsbip.exe
      "C:\Users\Admin\AppData\Local\Temp\adlsbip.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2636
    • C:\Users\Admin\AppData\Local\Temp\adlsbip.exe
      "C:\Users\Admin\AppData\Local\Temp\adlsbip.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:3320
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1700

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Safe Mode Boot

    1
    T1562.009

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      fcd3aa031cb4d4e26f67ee947a2e3ae6

      SHA1

      860cd835312cab7908cf20ba5793deb52555a8c6

      SHA256

      fcf9a394153cfe1bc1f7168e36ae5c8484905257f4a90e850a57d34acb9eb566

      SHA512

      dee4b7cef57f26278209b6a9ec895887cfb5c64bb09a936f9a2ea4cf73474cfb0735cfb960eaedd68f45b3eec80cda85ee2cadf7cea290760864a2495adce5d5

      Download Submit

    • C:\Program Files (x86)\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      8a2068c666d574edd7aa15d43b80bf04

      SHA1

      b88c03d882b9cb7b64736ab5cfa1d06531ae8522

      SHA256

      e0032eb8f588646bebd0bbb10abf97a183289aa2e1d5ffbf54208436dd890cf6

      SHA512

      ee606024678ca6edf0b37a8d1e1f291befeac7f03050d6725d9a3fcb6649a387894cbab643ff9d1cb88a87ffca8a220f44c4a388e36aaead5ea744a8a50661f3

      Download Submit

    • C:\Program Files (x86)\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      dbca4c5c812ebfd5536350d6cfad370e

      SHA1

      c8593c7739d8c99f7a2ea50c1f81941cb8a41d5e

      SHA256

      d73c1e3ed88d2b272059a1609c74c1760f27657705ad2f856e4744c0b5ea48fe

      SHA512

      135c683016c463425ae9e5979a1e435e1c360fb133097670f41f2d2fef5d6b8948a1b1e8ddb485e5761345feef49cb6acc410e61e8c5a4df9ac36d809af675de

      Download Submit

    • C:\Program Files (x86)\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      3f33936aedfa8e371f6ed99df09fb72d

      SHA1

      e7cc52b8f82a771544efdc788e7493c9b66ac84d

      SHA256

      154772f0d4864b89c618a06fb8936402fe8ebc104717d6a9bd6fc80f68475a85

      SHA512

      650146d19dfc20be850f81b699e850788d3ceb7d41c6f05dc068e032403897dffbae2b634af27cedeb78a5d7a382588fa25d5bd9f6499b512b1b7b72e270dcc6

      Download Submit

    • C:\Program Files (x86)\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      03b24e32b8d2ee4899b0dc435a9ed72f

      SHA1

      fcf96f406ccb5263ad6cd2a71bf8df4b178900fb

      SHA256

      08f063d0886d03ae93164abe2cb81bcf40f088233e33564d4a3d1d80e97adf02

      SHA512

      5c5418e3520e87e8d018827f02902d0dd46bacdc972f11b92531550fba2a9d1e415e2ca315fd21fbb34f3b80130aef0f61e5b8edc4a5c17c4785fa844f102ca8

      Download Submit

    • C:\Program Files (x86)\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      2a6dde7eda728bea122bc2199157a022

      SHA1

      30b57fb7aeeda47beaa1f61087a81f5b864b676e

      SHA256

      82a299cc4c4db8334f21f3714a432da0bca273799ae6df4a1aa1afb3a94a7087

      SHA512

      0791ff9e4fe99c4419c70e84ae62c2180867f2400b54e753e09b2fe1f644317f067e52abacd4c45740936a981839579ee1da6450433b3bbd0136ebb1b1116b7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\adlsbip.exe
      Filesize

      2.1MB

      MD5

      0c3b041d0ed5cc660b6511f6288cc938

      SHA1

      81ad2d1f3bc4ae1e065c91fb8ec500ed33a1a6a3

      SHA256

      f568e56727d760abff1abf26b4a6e046ab5c9e3d0da2754770833453782cf3b0

      SHA512

      4cac3ba5b33adb76a9d76b32d1e3de7c072d1eb7c1a01c0783a5d7ddc3b64fd4850c37ea62accd5042d998b9761d5ce059a268eb3ba7a0776857e7579d05e5aa

      Download Submit

    • C:\Users\Admin\AppData\Local\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      d3f65c0dfc0602ca7907c0346b1f0fa5

      SHA1

      882afcee4c4aebf5bb69048594570bf4eb11d8d8

      SHA256

      9e307794b2025bb40274cdb6b9280c5d9eda1e2412934c33d4fa2dda4c038600

      SHA512

      771432cdf25af0b0662d9d266bec3a4e78b5a2274d8fb9a8349ef9f37343f6aa7259304c109fd26f3d478eb31e90e6e543d28110a914565fe78d11ce3cacde93

      Download Submit

    • C:\Users\Admin\AppData\Local\ebdehijejhjmsdbokvsuvyz.vay
      Filesize

      280B

      MD5

      81680d16b07b3ad19866a4b5d604577d

      SHA1

      42c42d8118411e8fe90a342a42408b944bc8c8c5

      SHA256

      04bb91c695e71906253b17533e36044e6211b636e89ce88a85cdae9b644bb218

      SHA512

      238c80a74f082f1e8c09b49f2e93f5e90adbe345e29b16d2f444318bb5d3c5e0a7209fb14eb491411599eb5b7a1a582812ba0b1d3c539d4e3494d6d0a7875dd6

      Download Submit

    • C:\Users\Admin\AppData\Local\rzmymykqgpcqhdmkrnviuiugmclymdzign.req
      Filesize

      4KB

      MD5

      fe7e646abbf90bf0ad112dbdb4cc34ed

      SHA1

      19a232c5dd3c20b9295a79050be350a7a499e1b6

      SHA256

      da8371d36a03b6c08c287d2b009c4e27d037446697ab74e353bc453bb9846aca

      SHA512

      a1e36fc0a2a08f1992e0a1551dc1fd312bc2833871da48b21cfea0ccf0a6fe5c73a385983a13e4730efc1235fff1daa1baf0d16289de68f545296a2bc3741370

      Download Submit