Overview

overview

10

Static

static

3

b505a14159...a7.exe

windows7-x64

10

b505a14159...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe

  • Size

    1016KB

  • MD5

    ee47200f60aa0ffe7e554db291da8a8f

  • SHA1

    a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e

  • SHA256

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7

  • SHA512

    02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478

  • SSDEEP

    6144:GIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUM:GIXsgtvm1De5YlOx6lzBH46UM

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 37 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe
    "C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\ihuownxrsre.exe
      "C:\Users\Admin\AppData\Local\Temp\ihuownxrsre.exe" "c:\users\admin\appdata\local\temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1428
      • C:\Users\Admin\AppData\Local\Temp\tcltcjm.exe
        "C:\Users\Admin\AppData\Local\Temp\tcltcjm.exe" "-C:\Users\Admin\AppData\Local\Temp\skctlbndrbfxwjfu.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2304
      • C:\Users\Admin\AppData\Local\Temp\tcltcjm.exe
        "C:\Users\Admin\AppData\Local\Temp\tcltcjm.exe" "-C:\Users\Admin\AppData\Local\Temp\skctlbndrbfxwjfu.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:5008
    • C:\Users\Admin\AppData\Local\Temp\ihuownxrsre.exe
      "C:\Users\Admin\AppData\Local\Temp\ihuownxrsre.exe" "c:\users\admin\appdata\local\temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    1478c1fc32ecccd32a3399032df56755

    SHA1

    94a8b0dd2e19b361b0ea76e75dacb0f8bb512e28

    SHA256

    8d4adee6ec2cac493de6f6a28c44fa8807895cbad6b406006f4468a3431ccd97

    SHA512

    9ec207889390d97a38ab2b32eaa89a039d8b893740eeee02cec9df3652448cd051e1092e136fc2f74473577ffe804d72b313c8c86961cdfb3d2f7a9b24fe2363

    Download Submit

  • C:\Program Files (x86)\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    2332e1bae0a1f33d18bdc613e72c5a34

    SHA1

    84b6f2f40906aae67e2a3829d3a32a0e2b39e2d4

    SHA256

    80fed82c20ec0aac817915d6c9328f294442b23330375305a2ed22ed7a0e9a30

    SHA512

    151d3c8824bf38097155e83ffc2c6c8c60699348076fd5bcd126bb08c8d639cfd25f89d77f7423a13e4932452a99ab8f9bb93c2d241731726694549ae841c494

    Download Submit

  • C:\Program Files (x86)\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    862a6d00b7db4f12707ca5d08a0504f9

    SHA1

    452dbf6cb63f332a4f6a1bf6614fa2de70fabcc1

    SHA256

    9b2247d0b27ead3edd02abc88320ca92ab84bb94064170992a661133a0d3ffb4

    SHA512

    44ee07224b1264097dbfd47b5234ebd650860cc21d22333a88fa8c97e6f36a63b472b49563c77f67cc988f8b8ee8c506dd424f12534b02a150fcf43678c689a2

    Download Submit

  • C:\Program Files (x86)\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    9fb85f049a1295d6a6bcb1fc0664324b

    SHA1

    ad328047c868a98dd5863389203c108a2208f976

    SHA256

    a975b758f044e65cc41f0335ecfebffd17e520c34e86659fbfd0e31664abf710

    SHA512

    c253f445b445d2edd6ee7d9dc019c2b8237e0e9b15d0677ba731bd802e041674fe04386465d6f657878484e9c16cdeaf261880015068592e1a161b352d3ce608

    Download Submit

  • C:\Program Files (x86)\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    41e9a5cab6637c4a55061dbc4fb38deb

    SHA1

    4d3990f10634d52af5e3c61c4e673686d85a78cd

    SHA256

    be7b3e5b01cabd25175e8262224592b90b41decb1ffbe2028ec47ac5a376a5e7

    SHA512

    a62ac662e4ca31cee0de27903cd8125b3b663221f119f30baec24e9032c91dfcfceac8dfb4c26558bd99c2db70e718be57a7b0421d40de329b7eb62a03532167

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ihuownxrsre.exe
    Filesize

    320KB

    MD5

    eba893268963f7b1815ff946d20461af

    SHA1

    d9e242ff474f1fedaf4b5955b9a028c4ee48b569

    SHA256

    95a160861820f12d15672ff0d9dfe4179c57ae7b26e77207b5d21219f5502ee2

    SHA512

    c1b7b9b09d2096878bbc01c621752ba67aee7400db1dec407ba8b95f41298d4ab1df88adbe464866ddab60c789af565933dc8a7fdbe0d3ce73f3d582c16a3385

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tcltcjm.exe
    Filesize

    700KB

    MD5

    d2971b7be8fa7b26800bd34c79f63cfc

    SHA1

    809c9efb6bf2da8fc40f01b6c5da01f6554d5632

    SHA256

    5bbca09e31793cb57873be3482a512b3aeb09ea20f52103a5fb0beb3ac0839c2

    SHA512

    04ca5638173877908b3663420d8ec9b653c21f67f8e5598f3aadd4b7e0895a7f1b5e0e12940464e115fe28cb13ee4d97d3e97c8aed04a1f17b062055e4d93d70

    Download Submit

  • C:\Users\Admin\AppData\Local\nanzmxepydcpjrismsfsercjudihuownx.xkx
    Filesize

    4KB

    MD5

    6b8f88fb08f091f96c57d044594dee6d

    SHA1

    f2edd98c1abcc388d5c22b36f6e4c87f4e7174b8

    SHA256

    ff8257976997e1613bc343913aefeb44650d09f40625819dd3e8f97191e4a0ab

    SHA512

    77c85110947b5e2f83d4d6f913743e34ae6a57f2684735956f653573a3e4d6b4982de1b7a6f1e14c06a7fa644e8079d98ac454bc9d6ec9ad952ee8563afc5e6f

    Download Submit

  • C:\Users\Admin\AppData\Local\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    55a31a55c20ff6ac2bb8d4b074e6b12f

    SHA1

    0089fb891138e1a1039cf268a46156bdb10f8f91

    SHA256

    e077b5ba437e7809e71de8911820b60b57e94ac5a56254ea351caa69e13f8911

    SHA512

    57c57bc2f7139738cf512ca8b99be4d1620f37349518a3aab6e33859ce3ff351eaf292223d288daf928a1733bd00c89967b468f7c8372cd685e12d46cc0a0cb9

    Download Submit

  • C:\Users\Admin\AppData\Local\wyabddzzxrfhqntsbwyabd.zzx
    Filesize

    280B

    MD5

    799b59775824d045313d3893aeeb9783

    SHA1

    c780b26f38b2b5ba8a84c8ec28051f27f723d5f3

    SHA256

    01643c316b748451934e6147bbdf2faf90d96e0681a25cef15210c0bd28967e8

    SHA512

    4c7fca8a8367387fea1fca30585ebf4e5d5ef287b9776b73530d557660e24dd804d9fefe6f62c9218bf1fad94f9028f8d8349bc64cd81b4076aa8f5b011aab02

    Download Submit

  • C:\Windows\SysWOW64\icwpjbphxjpjkzxopc.exe
    Filesize

    1016KB

    MD5

    ee47200f60aa0ffe7e554db291da8a8f

    SHA1

    a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e

    SHA256

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7

    SHA512

    02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478

    Download Submit

  • C:\nanzmxepydc.bat
    Filesize

    520KB

    MD5

    8b103e32f64a8810b21171363da06b1b

    SHA1

    7e77cd4e27c6bc3748b8312a1c3dd09134416717

    SHA256

    19623ca617c5f3f27ecbc339c601211bef6cdf7ea5b4e87ffaa838edf6c6ea4e

    SHA512

    c6105573ab893868858a8cef242b7667dafa967321c8e7d353dee4cbfbdab1141e930010c5f466707ef6843145177f49b9a656eccf7e1b4650c64ca701ff1f4f

    Download Submit