Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 06:59

General

  • Target

    0c4fad799f1b08ad735cb51c58060247b1bb0cd66d61c549fd5c80b74f2eaad6N.exe

  • Size

    22KB

  • MD5

    a3f1dbd84f728363a1a212e923a97080

  • SHA1

    c5c47944d63f15d6eafea8e31f18d43f2290ed0e

  • SHA256

    0c4fad799f1b08ad735cb51c58060247b1bb0cd66d61c549fd5c80b74f2eaad6

  • SHA512

    2638e5efdf2d0b879abf2f9e28610ff7e6a9765266efacaef8ee3b01253e7d611e7efadb779168c36f0745dbcad43fd79f219555ac305e004902c22df40518d6

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvXVB7JmvY1j:rRkiLw3HsDSARGG/rv1j

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 12 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3484
        • C:\Users\Admin\AppData\Local\Temp\0c4fad799f1b08ad735cb51c58060247b1bb0cd66d61c549fd5c80b74f2eaad6N.exe
          "C:\Users\Admin\AppData\Local\Temp\0c4fad799f1b08ad735cb51c58060247b1bb0cd66d61c549fd5c80b74f2eaad6N.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL

        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

      • C:\Windows\SysWOW64\ahuy.exe

        Filesize

        24KB

        MD5

        a165809c4211584179bd1135f26304d8

        SHA1

        64d912c797ea6f9baeeb8da0aa79614801f3490b

        SHA256

        f319e30a229287f6f6b44ecb050fd7fcb56a2d34d51f762f722ac13fe513647f

        SHA512

        d9d542d7401bd5fa8836da4f77768eee7232ee084708ded93ab08a224a845b0d784b0d6a1cb315c0442e22604d16a7a5e01d12e9977a0fb32829a5ccf906cd05

      • C:\Windows\SysWOW64\ntdbg.exe

        Filesize

        25KB

        MD5

        cf5bd6c9d51cb13d95baf45212117f21

        SHA1

        0b1306451ba0808ed438dae93b13552136396cd6

        SHA256

        73772d354286b16bb7f22508de41a010c2a21a4d9d07444927ed8dc6211cfe5d

        SHA512

        ef72131425623f067c75071e8909334881fc324fded67bd9f02a8eb1940eedcc733ef3af2d18ecd113564a3652151c93a34403fd6e0c425697be7a09745d65ac

      • C:\Windows\SysWOW64\rmass.exe

        Filesize

        22KB

        MD5

        a3f1dbd84f728363a1a212e923a97080

        SHA1

        c5c47944d63f15d6eafea8e31f18d43f2290ed0e

        SHA256

        0c4fad799f1b08ad735cb51c58060247b1bb0cd66d61c549fd5c80b74f2eaad6

        SHA512

        2638e5efdf2d0b879abf2f9e28610ff7e6a9765266efacaef8ee3b01253e7d611e7efadb779168c36f0745dbcad43fd79f219555ac305e004902c22df40518d6

      • memory/2364-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2364-7-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/3600-47-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/4172-42-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB