Overview

overview

10

Static

static

3

fb49ccc6f2...b3.exe

windows7-x64

10

fb49ccc6f2...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe

  • Size

    320KB

  • MD5

    740afbeaa06922e913a871f592541331

  • SHA1

    b0eaeb7152f55f42fa0126d9e2b2117ddfec1cff

  • SHA256

    fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3

  • SHA512

    26657d4dba67ba090ca44fcc48cc71824fde5416dea856bc5c5a09a0a9c36c831e8daa335af2d6f46b1174f7cd8867ef3c664e0e121c94be368411db51a05881

  • SSDEEP

    6144:4TwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:WXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
    "C:\Users\Admin\AppData\Local\Temp\fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\baots.exe
      "C:\Users\Admin\AppData\Local\Temp\baots.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2364
    • C:\Users\Admin\AppData\Local\Temp\baots.exe
      "C:\Users\Admin\AppData\Local\Temp\baots.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • System policy modification
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    c399d8b81dcf21ec961ad0a305239b96

    SHA1

    038d2912a104b3b56e591ccc3f0a86d663364f12

    SHA256

    34e7c067c452b975e9189af7174e717d463fc8db2c522c0feb16e0874aa06145

    SHA512

    ebcfa1ffa6b73d9a678dd0d81b1df3dbf02934ceae33a95909c321db5a56d7faa3640e03784af07d69de74d835b8704efbef2010b751cc36b3e20601fc12a618

    Download Submit

  • C:\Program Files (x86)\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    822b227d2db3e1b64003ee0bfb66df11

    SHA1

    c1008714a393e1d974cc547b437e4840a4bca725

    SHA256

    3d1fd75c7d276083ff6cbca25c5245e34e2a444f64a5fa2d0fa171198fa2a2eb

    SHA512

    a8a281f5fa014ddb1c0c15b32c34f8698846f93ab5367bf2dfcca772727163e34b3e72c56a610692b60f96d2ece6f7e329044a8bc307c99c5d9cce8f21aced28

    Download Submit

  • C:\Program Files (x86)\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    16b141f1f2f5a6872565d021b83ab8e9

    SHA1

    130be315087908ed639c303120741c7431121d76

    SHA256

    d0852dd1c0bbb0feeb8028fcf28f8b709afc7856eb5913f5e2eddf09b6012367

    SHA512

    2b8acd6752e8d9db6331030d098a82b1f60347ebfc589a54ca03fe5543c0cc8c2c9fb55311f51d113dd08516b1d436e22a14d9b4cab52610d7ad2f1e11d98187

    Download Submit

  • C:\Program Files (x86)\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    0d4cf23fbfca42c92417e0dadaafac62

    SHA1

    516f28cde1a3a7aa59e32bda6e14f23253e0ab97

    SHA256

    e2630416f85d5e278799bddf26e23ffab216384d6f61eca401f9b39bef776248

    SHA512

    a54417badd7cb0858297c5955ff239baf7113579495ef92a0609560ee51a3f160347627c4f1d913c8633fecf43a777a1e7e349e2c8af67eaeec472a533abf73c

    Download Submit

  • C:\Program Files (x86)\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    98e88dea1aed12fdfd085b6139b9265e

    SHA1

    b63493ec69e23c077cac0db74f98c54b21d983b3

    SHA256

    7b444ae6f0d9ce2a35471eca4bcb85659144701217333cd6d8a8848ddef9c378

    SHA512

    39c1db836b0bb1bfe3d1f483b45e10b7d2285c2818d43f1afdaf4e6a47cfbf744e346d288d12bed256e0f881a3297e0f47cda779bd7419426a76b9582348c610

    Download Submit

  • C:\Program Files (x86)\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    2be427418f0770047d1946f066856800

    SHA1

    0f81985a97909d60ca39c48d943ce1d20bdc3f35

    SHA256

    d26328d8c65ea2691898d4ff0e9a9a9ed4b93a0acbe95f4df91ec13ab680ce92

    SHA512

    bfda6ecf6ae8252c7111fbfdce2a77136dbcbd202eaf0890f2536256b5b620297acdc9f71d92f13c159d675117d21947a517927035d0b2d75fc47d935cfa1c54

    Download Submit

  • C:\Users\Admin\AppData\Local\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    2021c9202645b114f78b3923a4e9aea9

    SHA1

    a7e053af0f79b39d1b73b12a2ec68d2a5d852a9f

    SHA256

    3c529b4d74b1332f2a9b1bd3b4a36f7d5c1a9606e4f57d05d03fc3d399690383

    SHA512

    6f387b88d2e0c6a4bdac384c85ddfe44a323cf8cfb67d59f1e65a30595789f7cd75cff63153e257b5235a7b63c842bbf63f733849ca384225523f39cf50f9536

    Download Submit

  • C:\Users\Admin\AppData\Local\baotscdeopdarmjzlfnmafeopqa.pmd
    Filesize

    280B

    MD5

    2407fe256178a198c468e8378791da9e

    SHA1

    ada0fdedaeca0875a95972bd4af72e241982bb8c

    SHA256

    5804ba0a62751154cdba3feec08813f8b63abe1b72bc334692b57b830ae8617d

    SHA512

    8ce1e091381bcdfa42dc012a4194335b1fbe3ccf81395c5ded4189ddf907d24c727b56ed0f49fef6dcc177676c4f64566269bcbc2308acff2bc3c0b25a1a9f48

    Download Submit

  • C:\Users\Admin\AppData\Local\yihxhcoavhgoqwefchakjzjeqcxjiqsyghejcm.blg
    Filesize

    4KB

    MD5

    1342968c8a498336a334539e815c5713

    SHA1

    2650bf3dab36ff7a89d1b2e8c430e30a898aaf24

    SHA256

    c1a12c322cea5469d322b01fe63d49e32e5a08ac1f3ae915c91f43458e23530e

    SHA512

    c3aa85f164475b6b6a0da7a769d2e90a5a8f5920e7319a5ee602d9c2bc82fbc3ec8f046d25f50e29941e575263be51a0df14a1fdec88ec17f8a0a512cdfbacdc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\baots.exe
    Filesize

    688KB

    MD5

    121c2afe9a7c236845a9fabed8468c91

    SHA1

    76dd5a3966c8466bda79d64cb74757d544cbaed6

    SHA256

    7bb9057030a5195c15e89acbbd83f237720a6cdb6379535fb852e4756f4bcd50

    SHA512

    a861fbfb002055407971827f1d4dd3c1122102bbca65707f33f9bf3901efd5a91d9c717ad24bb322c57fa07da5bfb47d0546e5556c5c536ac950f351cf2cb97c

    Download Submit