Overview

overview

10

Static

static

3

f5c09930dd...ab.exe

windows7-x64

10

f5c09930dd...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5c09930dd903d6134a3d896827c7605689972468042dd429c6f1ea6172361ab.exe

  • Size

    36KB

  • MD5

    1e7e657e12560c3b7d950001a38cc8b1

  • SHA1

    675d1cce2c0125f37871faa9dccc423f72a9a882

  • SHA256

    f5c09930dd903d6134a3d896827c7605689972468042dd429c6f1ea6172361ab

  • SHA512

    a41e1b7ec27b74fc5ae6a6057d1cf56ebf658bfccecc7e0cfd68b9aa1d36b9141f0765d612b7f367f5f5e74d4964c3323c7f3a05cd7eb728cadb9387cd836abb

  • SSDEEP

    768:sIUmhCfRKfmrEhjR2cS5fzWbAGO8azppk9SNKGCc:sAhCZKfmrqjRu5fibAF8qYSNKhc

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1168
        • C:\Users\Admin\AppData\Local\Temp\f5c09930dd903d6134a3d896827c7605689972468042dd429c6f1ea6172361ab.exe
          "C:\Users\Admin\AppData\Local\Temp\f5c09930dd903d6134a3d896827c7605689972468042dd429c6f1ea6172361ab.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\SysWOW64\udloavak-acur.exe
            "C:\Windows\SysWOW64\udloavak-acur.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:616
            • C:\Windows\SysWOW64\udloavak-acur.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\ogpopem-ousooc.exe
        Filesize

        37KB

        MD5

        ffe4d598b1c14f4ffff7c21b881a35e9

        SHA1

        c81af6005c0a4ae0cd2f028e8ed9ac73a04606ab

        SHA256

        974d4edcdbeea965c681385f5b125454041f40f7383249fc95843fa631fccf0c

        SHA512

        c20379b56e449d792691bcbe93698b36352b30d2d854f021ff8e09eca6290a12dab27bcaf526635399e749dd759b0103c3de9dfcb0176f0cb2445c8b4edb39ea

        Download Submit

      • C:\Windows\SysWOW64\thivom.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • C:\Windows\SysWOW64\udloavak-acur.exe
        Filesize

        34KB

        MD5

        13cb46ed7728ac50c3056afdbd7b877a

        SHA1

        10a19a2279c7d2895053f0e013795b011408db28

        SHA256

        a4df6235e2dc4ae21a6c8321d5c263e088703981715f14a2ef801039053eb07e

        SHA512

        b2393b77f020285aecbd16ad640cb8394934ac46994cb13649c33a0ec643dd6c7b934a365d5e32362d3344cc178dd845afd3c0dc42ce291336362081e6fe6f6d

        Download Submit

      • C:\Windows\SysWOW64\uhnugead-oudat.exe
        Filesize

        36KB

        MD5

        7852cb9126d90595f66f65e640763d42

        SHA1

        82e03a2fab33fb085610262a94931c1bf6740e3d

        SHA256

        05c287a41e50dff94f48df198562992f1ad8020b36d0af4ad1bb68500f23d337

        SHA512

        048332e4408251d8f7d8a9cfda0221b9359fb5009f79526fbd8ff2c4648180deebb545ece46afaeac1d5846b395cbdb7b21c000c40ea2067ee6ab6884324689d

        Download Submit

      • memory/616-9-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/616-20-0x0000000000360000-0x0000000000377000-memory.dmp

        Filesize

        92KB

        Download

      • memory/616-43-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/616-50-0x0000000000360000-0x0000000000377000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1980-7-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2440-55-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download