Analysis

  • max time kernel
    119s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 09:09

General

  • Target

    c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe

  • Size

    30KB

  • MD5

    342c4c4f892f98b00b29035f9e483e10

  • SHA1

    01323c60ad0f23039a8dee51c86c550d0b971519

  • SHA256

    c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c

  • SHA512

    b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423

  • SSDEEP

    768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewqu:QuQRylaUDTDxDXjy6AB7koYy2Gu

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 17 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe
          "C:\Users\Admin\AppData\Local\Temp\c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\SysWOW64\tmoopeg.exe
            "C:\Windows\system32\tmoopeg.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Windows\SysWOW64\tmoopeg.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2136

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\acberab.exe

        Filesize

        32KB

        MD5

        0e46ba04c355a5baeea9babc07022926

        SHA1

        78ca79d2a3090e2d2a3d8e6ecca0401ae082b019

        SHA256

        4f4925a18a6a570cf7ccec6582e1ac599568e29be93b1619292759f841833816

        SHA512

        390edb6593f0cc0a35125bde390ad996537c2e518d8bddb570897abe513bbb6c7b390eaab0259a3f9bc14929c7ae2255880b160664dfa5a0b7279fa5edc0e18e

      • C:\Windows\SysWOW64\atvofeak.dll

        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

      • C:\Windows\SysWOW64\ouctisuc.exe

        Filesize

        33KB

        MD5

        98560999b59e2f6d53f61311cdbe0abc

        SHA1

        385de8786b39b255de1315e2f52b03e930732359

        SHA256

        fbfd555bddb2916732779084835ed827b67438c627cd55622acd2f5c7f6b1876

        SHA512

        77c459c6b2d1f50f99eee9032479f56c69a2ed2bb082234dafa269703a6c689f96cc762c196820ae80b27e74350604049d4aaf146a9abaa19e7670202789d8a0

      • C:\Windows\SysWOW64\tmoopeg.exe

        Filesize

        30KB

        MD5

        342c4c4f892f98b00b29035f9e483e10

        SHA1

        01323c60ad0f23039a8dee51c86c550d0b971519

        SHA256

        c010c31d3130117990b429219acdea990161f5c15f17217bf37e408739e07d2c

        SHA512

        b7d14a3eefb27871caa5cd6550731ff30dc3e174f78d089405edefd8b9ef22f31ec47ee44bc3f12ffde5e0ea2c54cd1061eb1f41e8ff82cb73389042b682f423

      • memory/2136-56-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/2148-45-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/2380-0-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/2380-11-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB