Overview

overview

10

Static

static

10

0.46582298...58.exe

windows7-x64

7

00331dd25b...3a.exe

windows7-x64

10

065988f36f...a0.exe

windows7-x64

3

0826716413...57.exe

windows7-x64

10

08cf8ed94c...a4.exe

windows7-x64

10

0997ba7292...3c.exe

windows7-x64

3

0b7996bca4...5f.exe

windows7-x64

0c3431dbb8...ui.dll

windows7-x64

5

0cd7440ca9...bc.exe

windows7-x64

10

100b8bfff5...ir.exe

windows7-x64

3

101.ex_.exe

windows7-x64

3

119.executable.exe

windows7-x64

6

119.unp.exe

windows7-x64

6

11abb44de5...47.exe

windows7-x64

10

11fb52c968...22.exe

windows7-x64

10

123.exe

windows7-x64

1

139.exe

windows7-x64

1

13E418BF18...73.dll

windows7-x64

3

144.exe

windows7-x64

1

17697e1829...44.dll

windows7-x64

3

19561b3379...er.exe

windows7-x64

10

19ec0d0e51...C5.exe

windows7-x64

7

1a6bed2aff...f2.exe

windows7-x64

10

1f210c60f9...40.exe

windows7-x64

10

1f3509cc11...dd.exe

windows7-x64

10

20c6d29da8...7d.exe

windows7-x64

9

234e77145d...2d.exe

windows7-x64

10

263fc6fc9e...32.exe

windows7-x64

9

2e0da054d0...23.zip

windows7-x64

9

Compenso.P...__.exe

windows7-x64

9

301a3f5017...5f.exe

windows7-x64

10

30620.ex_.exe

windows7-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11fb52c96853e12f011b7b7894e9884e56eb5522.exe

  • Size

    496KB

  • MD5

    04eacd2031de21c56ccec496e1b5ed68

  • SHA1

    11fb52c96853e12f011b7b7894e9884e56eb5522

  • SHA256

    e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb

  • SHA512

    7951a8a8370c01273ce32c3695d16f496d485641f8a7454a86890abb894be9fed867e66ff57c8313bc10d8afd79e330c6e13936ca2bcb81c2b82bbf23a48799f

  • SSDEEP

    6144:H8CL0LckC2bYXES5c+rvM10d+dDJPDCWpKrSgBoreMDLu2zbgVn9Sr/WIInBt5op:cA0LK/5c3aqPiTebDLuibinIrwBtTE

Score
10/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\11fb52c96853e12f011b7b7894e9884e56eb5522.exe
    "C:\Users\Admin\AppData\Local\Temp\11fb52c96853e12f011b7b7894e9884e56eb5522.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\11fb52c96853e12f011b7b7894e9884e56eb5522.exe
      C:\Users\Admin\AppData\Local\Temp\11fb52c96853e12f011b7b7894e9884e56eb5522.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\xcgmXKbP.exe
        "C:\Users\Admin\AppData\Local\Temp\xcgmXKbP.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Users\Admin\AppData\Local\Temp\xcgmXKbP.exe
          C:\Users\Admin\AppData\Local\Temp\xcgmXKbP.exe
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • UAC bypass
          • Windows security bypass
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2792
          • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
            "C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xcgmXKbP.exe
    Filesize

    496KB

    MD5

    04eacd2031de21c56ccec496e1b5ed68

    SHA1

    11fb52c96853e12f011b7b7894e9884e56eb5522

    SHA256

    e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb

    SHA512

    7951a8a8370c01273ce32c3695d16f496d485641f8a7454a86890abb894be9fed867e66ff57c8313bc10d8afd79e330c6e13936ca2bcb81c2b82bbf23a48799f

    Download Submit

  • C:\Users\Admin\Desktop\JoinHide.docm
    Filesize

    858KB

    MD5

    25c46f08f3e309d9c6e1356e252a1fd8

    SHA1

    3a6ef2fafa2a9cf56f3d59cd53346a351c147f64

    SHA256

    91b5551a3056371b0083771de5e06d868ca003cf184042dc5c40786e0c1f04b5

    SHA512

    51249e30448162191ee9e09d427d8b61928fd913c4652bfbcd1436ad0d21b86004e5448a5cf18550e8c476f29bfe4684f3dd3174059d03d49d7a4657f8e1ac2e

    Download Submit

  • C:\Users\Admin\Desktop\RenameRevoke.rar
    Filesize

    579KB

    MD5

    c015ccd3a368732c855f8371f69a77ee

    SHA1

    bbbd1cfdd50331d2d432f1c62818cb3482804404

    SHA256

    fdb0fe4cffcf75639797dbfb752339a7316f88c6e07bbb304b8ce131388bba55

    SHA512

    94f6756f5a3685c3691f63c65a15745342a81390f45b757f3dff6e4a86d2935f66e198127c66ae3e4874b9670692a7a82eac6b3ad0e04768fe1f15359ffffcc4

    Download Submit

  • C:\Users\Admin\Desktop\WriteRevoke.xlsx
    Filesize

    21KB

    MD5

    de8f11829075e5e9a8042dbd20bb9cf4

    SHA1

    d7b6909a0b53d35e519938e1d33434288ccdc422

    SHA256

    4ce8a1b35ef3c5527ed148843f665c6b58d5b0a007f8692022af118ad67f54d6

    SHA512

    14c079f6a2d42a9e270a17488b92901b8ff2e011343e9c84baa9c9b79e8e0c60c9c1b9a72d8de9eb80f490f66f3734f6f7f86aa8e43d2cbf01fa1e16873f4ab5

    Download Submit

  • C:\Users\Admin\Documents\ConvertToUndo.xlsm
    Filesize

    760KB

    MD5

    407a90712de07cafed3a3dbe11fe3e40

    SHA1

    665342d91dd8330a4be29c317a9581c5076ff53e

    SHA256

    dcb9583e09bfdb7861c6dba4b7be771362be7f462b3fddc3d074381e3a0d1c21

    SHA512

    2d20678f9690e01f6732abb5ce9c77405083326905c9ad9f81dbbb08e78f6c52e4586c2a0df572cb206600e9fb913d9869a9ed6c8abe30d01a6fe10a46d6bf31

    Download Submit

  • C:\Users\Admin\Documents\RestoreResolve.docx
    Filesize

    35KB

    MD5

    8b7d826e684b349a05e8fd24c4ec3512

    SHA1

    a57acaba0be1697f0297ac02ced01886e7cd26d5

    SHA256

    d2f7c729563a8ce6ff907346b5b6b59edc7e618d943c8279dd6171a08f947e45

    SHA512

    af7bcd7d56aae456871b0742bb1e1bfec442f8c417bf9fe8f9fe0a1c4e806f556a0e2d4ecfddf2fc6224a145b80cb803c145f8e712f0a3070c3be2cad52d56d9

    Download Submit

  • C:\Users\Admin\Downloads\FormatCopy.rtf
    Filesize

    453KB

    MD5

    f84f16556999721366704684e982e71e

    SHA1

    9b0fdec239015d5c23774fbe3604c75d91c304cb

    SHA256

    c64220d0ed8e92117591266ed1f9a32b6bac303fa6346310033896b29bc1d774

    SHA512

    28246323e3231e34925b508ed14dbce7b9d96b0b110a5f1bbf601a92ee893eabc96208b93150e882d3db053b42303b6d0ace13eaca7194eeb8ebfe51591dd93b

    Download Submit

  • C:\Users\Admin\Pictures\FindExit.png
    Filesize

    481KB

    MD5

    0675f4507e3dd0a50354f974243fac97

    SHA1

    5bb197f227f852ac72829fbd6670a693d9456e20

    SHA256

    2a3c3099f484bbd711978c16d38eea8394bc6d1791e9a7c77bd3d54a7aa7b328

    SHA512

    d06966f583be14e9f0d2014d5953c0a96f9e0b6f2e7d1aa3a46a707049bf84877e96f6455fe24226ba673293bbd19d25dce6303354fe34d812e138cd097293d3

    Download Submit

  • \Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
    Filesize

    24KB

    MD5

    1d27a7210f54a047264f23c7506e9506

    SHA1

    4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527

    SHA256

    431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9

    SHA512

    077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

    Download Submit

  • memory/1648-30-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2112-10-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-15-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-4-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-6-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-56-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-12-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-2-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-14-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2112-13-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2148-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2148-1-0x00000000003F0000-0x00000000003F4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2780-68-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2780-200-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2792-77-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2792-66-0x0000000001F00000-0x0000000001F14000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2792-61-0x0000000001F00000-0x0000000001F14000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2792-145-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2792-46-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download