Overview

overview

10

Static

static

dac68e2f9d...c8.exe

windows7_x64

10

dac68e2f9d...c8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    179s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    09-03-2022 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dac68e2f9df041aacd69b3f29a37c5d2de0c38638772b9ab973d0f242febc4c8.exe

  • Size

    16.3MB

  • MD5

    e43ee6c5054feb07a7ff7d218e50b5f4

  • SHA1

    349856aaa3a026768369e0d0a113ffa2287c2852

  • SHA256

    dac68e2f9df041aacd69b3f29a37c5d2de0c38638772b9ab973d0f242febc4c8

  • SHA512

    8f43cb072fe37eb859d9f4b019dd45d441b3f9421a8d931c1d6e4d76c1f81eda56bfc8d70996b3dab4e5d54e6cb978943e9f5643b0ffe90e4a98ed9798d5de46

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 17 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dac68e2f9df041aacd69b3f29a37c5d2de0c38638772b9ab973d0f242febc4c8.exe
    "C:\Users\Admin\AppData\Local\Temp\dac68e2f9df041aacd69b3f29a37c5d2de0c38638772b9ab973d0f242febc4c8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1596
    • C:\Windows\host\Host.exe
      "C:\Windows\host\Host.exe" /install
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4700
      • C:\Windows\SysWOW64\sc.exe
        sc delete HostServer
        3⤵
          PID:1980
        • C:\Windows\host\HostSys.exe
          C:\Windows\host\HostSys.exe /silentinstall
          3⤵
          • Executes dropped EXE
          PID:3792
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dac68e2f9df041aacd69b3f29a37c5d2de0c38638772b9ab973d0f242febc4c8.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dac68e2f9df041aacd69b3f29a37c5d2de0c38638772b9ab973d0f242febc4c8.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            4⤵
              PID:1040

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1596-130-0x0000000003300000-0x0000000003301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3792-138-0x0000000002830000-0x0000000002831000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4700-134-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

        Filesize

        4KB

        Download