Overview

overview

10

Static

static

3

1bf36695b0...15.exe

windows7-x64

10

1bf36695b0...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe

  • Size

    320KB

  • MD5

    f994621fb8d39133c91165a336bfa517

  • SHA1

    02f1f61bd246cbb0a7cd7e1aed69e48628d15d7a

  • SHA256

    1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715

  • SHA512

    e3bd52ae4070e6bab51802247788e91ad5edf66272fc2668bfff14c867636931c53eb19653bb081459e0f9f45bf4dcc9df03933863ff81d0a61c4d688e908b6b

  • SSDEEP

    6144:0TwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqRr:qXgvmzFHi0mo5aH0qMzd5807FRPJQPDH

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 25 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
    "C:\Users\Admin\AppData\Local\Temp\1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\mrsbnl.exe
      "C:\Users\Admin\AppData\Local\Temp\mrsbnl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1944
    • C:\Users\Admin\AppData\Local\Temp\mrsbnl.exe
      "C:\Users\Admin\AppData\Local\Temp\mrsbnl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:5052
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3744

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Safe Mode Boot

    1
    T1562.009

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      2530d1da7c2723fbb5651017da8a942b

      SHA1

      e082c8d09b13ed83fc59d4290d67720ab80f59e0

      SHA256

      4f8ffa5374969c077a6cbc7d89cba82bc5f26b6894259d06ee7289d7d6a72bc4

      SHA512

      6725d70603bdc46894cabf64d49671d0ef66f185532d1dcd0618e43d8d0b633b1834fa0e3565ea451e18c34b2e48dd09f2ad593f30b7e97abf3d4eb9e9519ebc

      Download Submit

    • C:\Program Files (x86)\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      a3944076b66313ca4cc02773e6bc341b

      SHA1

      53626663062d8bc55402a28d87e17a32971a7ac7

      SHA256

      8ef05961f3b05e24c77716123a25ff6b5417fc68bde65db902a6019506c9bf99

      SHA512

      3f9b0a55c7e9227e6a57330bfd364c9cae63c9bfcec169587faf281733ef595afaa2a4bdfa9065b631ec93586cee8ef2aa0b4ef62758ebe82c6f9b5d45db8ae1

      Download Submit

    • C:\Program Files (x86)\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      0393a7e1d283d53666635f12b7d71677

      SHA1

      7acc2f7d660793e720ae6dce92ab61a476bbdfc3

      SHA256

      185370e7a09557c02b49e709481476cd9ffb277ff1892f844c6fafc4a91eedde

      SHA512

      9692ffb7b53429289a4369c2f3e4e406b03dbd35927a10eeb4b539e31acbde3cfa643e62f52bde46cc50bc241c436b43f4502d83d5495c55daa6dc89022a0ee1

      Download Submit

    • C:\Program Files (x86)\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      a344d035282b57ec66ec535acd7e5042

      SHA1

      251cf0c345672f79047fda6b6ae371cf3ddd1f50

      SHA256

      cf0c55c30bcc802dd19644f4987e1be6a1f8310b5fcb9bade46637cb0adc46a2

      SHA512

      f4018a842662f31bccd75d43e99bfaf73f99506b9493b600bdc803360fabac44877dff641bb35cef8d65d4f1f918f1cbcd29279882af6e10dd6ae5ad0a95dd99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mrsbnl.exe
      Filesize

      696KB

      MD5

      55fac89a0312a8b7731191d456165c3b

      SHA1

      a507787d22f0bef7b3795776e642eaf84e091299

      SHA256

      a9d864dce23858266ced8b5067eac07fa66b0b309e3a8213b5d96fb3ecb439d9

      SHA512

      c6e937979d4afe702b7a3dc1106f7cd22a4101b6414d3a9e08ce455ca0cb8b96e82b42e50edf0e963e27192ed59a7d1115548ba23a97d914325c2a19c3b1c072

      Download Submit

    • C:\Users\Admin\AppData\Local\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      7c00b34c123a082b074ed3606ae8831b

      SHA1

      c698b9113e1dff3da421a9219f230624b474befc

      SHA256

      2a183ad633bd5e0d2ad3ca5164164a0392d8bfe4328b8b8e7c2494839debf149

      SHA512

      49b16f2099f57f7b5d8a93f94f965eb265f952a8c80007463184516c2c57520301b96a58b832c054b204111b988d762efa076177e139781d57d599f3d82d4f9f

      Download Submit

    • C:\Users\Admin\AppData\Local\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      8e6e2f4443108f36ed0cce3b92e3be0e

      SHA1

      9c5e438ff0d81bd00126bd6aa32a7be9eb299057

      SHA256

      2d2d6a8403414f67951018d022bc1ab13c888bab2e51c45bdee981cd210a9677

      SHA512

      9318ba8d64f37e923474de56fe5fa87eee15453ebc30a6aa696b04d854d38a25132b8ab0f97d28ff626d1bbd640a240a356a292d09ded07997dbe2e896f25db5

      Download Submit

    • C:\Users\Admin\AppData\Local\bffnyvelrmgyvdhygimmufclsyt.fck
      Filesize

      280B

      MD5

      5ac60573748db453da0cb24dfb2b435b

      SHA1

      4f5f7f873aef7663795921496401f56e580e5b1b

      SHA256

      ae2310f96f02a851c88d162b412bbf124e97bf7cc7a92207fe4ca280748522b8

      SHA512

      8d470d38003ef5bcdcdc3528678d1948c3fea2e02be2aa391b93fd3205f15f5717dba59d3734f20cc9874d84e992130264ea79c7476a4a67e2949a9fbf378ccf

      Download Submit

    • C:\Users\Admin\AppData\Local\ynyrnvphyejmuncexkzkdzhbtkqvygzoqjwlwp.tnf
      Filesize

      4KB

      MD5

      d7d6af6a325a7f56f4c507cfdcbcf396

      SHA1

      15263bb8490ef03c32ef5c81b1e8b6b51508ba94

      SHA256

      6b802623acaf4747cad5afac3d552d91937ad145ee44e274f58b3fb7a3864ca2

      SHA512

      1756c83158526301aeb1e246c2059a8d02a64388954968cf84bffd9edb635c32f49c3b42ed7ba428763da1b888837af81f6f1a885b034d54a91625dbaacca42d

      Download Submit