Overview

overview

10

Static

static

5

60c1cc46d5...a8.exe

windows7-x64

10

60c1cc46d5...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60c1cc46d5ec91b74a50e30586d7f36400a9de9455a9c10b514a1863093efea8.exe

  • Size

    22KB

  • MD5

    823a28017a472ca3bbdec3f49421f898

  • SHA1

    843d2818e3ae23bc845e0b4917eee11d8ba25d5f

  • SHA256

    60c1cc46d5ec91b74a50e30586d7f36400a9de9455a9c10b514a1863093efea8

  • SHA512

    6f49418ccfe7a03fea6247aaf618a9188a578a3654acab6f70f0cbe8f53971ce92c77436379cbb4735168e982eaff4f8872bc694f5e9bfbb660950ff5cbfc6f6

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvXk284EjIm1V:rRkiLw3HsDSARGG/+4EjH

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1204
        • C:\Users\Admin\AppData\Local\Temp\60c1cc46d5ec91b74a50e30586d7f36400a9de9455a9c10b514a1863093efea8.exe
          "C:\Users\Admin\AppData\Local\Temp\60c1cc46d5ec91b74a50e30586d7f36400a9de9455a9c10b514a1863093efea8.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        24KB

        MD5

        63f74238a7cad526f3e75ad5ff494d40

        SHA1

        a3e45dbee80dd08ce49268145de2412d96103246

        SHA256

        e22d8ab85dc8e433da5b4e8268fb60b32dfc22ddf2a45644be9e5ef22c69df9b

        SHA512

        1997e8b0c1be47a7a28aece61c9d65180af085c7264c809d35fca05d561f8c14b9da5facb09b82eaf34ec6733843676a0acf27b0e1d469f66dda4ead7dd6b32e

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        25KB

        MD5

        0959df06e6ac26946e5b65a7a959c688

        SHA1

        9e3b7b53240fbfdb058b4b97ef708cc93d107032

        SHA256

        0c26e6f37bf6aafc0ed7906f98f5d2d852bcde19c6a6ce0f032eb07ecf6de4cc

        SHA512

        49f91cde9ba0163e642e7d34552f4a89b898373d8f0fdb5af27be3269c76cffa92907756e267b51f72ff3210ddb6922142efda889ff844115f72df3823be9a61

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        22KB

        MD5

        823a28017a472ca3bbdec3f49421f898

        SHA1

        843d2818e3ae23bc845e0b4917eee11d8ba25d5f

        SHA256

        60c1cc46d5ec91b74a50e30586d7f36400a9de9455a9c10b514a1863093efea8

        SHA512

        6f49418ccfe7a03fea6247aaf618a9188a578a3654acab6f70f0cbe8f53971ce92c77436379cbb4735168e982eaff4f8872bc694f5e9bfbb660950ff5cbfc6f6

        Download Submit

      • memory/2252-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2252-12-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2696-13-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2696-46-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2704-57-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download