Overview

overview

10

Static

static

b266716ff4...50.exe

windows7_x64

10

b266716ff4...50.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    47s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950.exe

  • Size

    603KB

  • MD5

    202a640b5da9a32d7050cf39eb0f7726

  • SHA1

    d499984e6bd951514997ded82485e10844b329f6

  • SHA256

    b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

  • SHA512

    20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • NTFS ADS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950.exe
    "C:\Users\Admin\AppData\Local\Temp\b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe" "Dllhost.exe" ENABLE
        3⤵
          PID:1816
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • Modifies registry key
            PID:1172
        • C:\Windows\SysWOW64\netsh.exe
          netsh.exe firewall set opmode disable
          3⤵
            PID:568

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Isolated Storage\{45007100-4A00-5000-6F00-380074006A00}
        Filesize

        384B

        MD5

        04a5ed6c662fa4cb3812ed654fd3ef64

        SHA1

        f04f736e6c84634430d318161139ca695e824836

        SHA256

        42a4d298857893a33c5d6200c58fcf79407bce6a613fab662ff051246a1d9063

        SHA512

        9f867c4784c803c77b5908fcf668f155056e154e3bca8ed8fe94b48cf970422e1bc3a357e4c3e65e0c6ba5e7a670237cc0ed704b8cc6a3965ff04682e1df0243

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
        Filesize

        603KB

        MD5

        202a640b5da9a32d7050cf39eb0f7726

        SHA1

        d499984e6bd951514997ded82485e10844b329f6

        SHA256

        b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

        SHA512

        20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
        Filesize

        603KB

        MD5

        202a640b5da9a32d7050cf39eb0f7726

        SHA1

        d499984e6bd951514997ded82485e10844b329f6

        SHA256

        b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

        SHA512

        20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

        Download Submit
      • \Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
        Filesize

        603KB

        MD5

        202a640b5da9a32d7050cf39eb0f7726

        SHA1

        d499984e6bd951514997ded82485e10844b329f6

        SHA256

        b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

        SHA512

        20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

        Download Submit
      • memory/568-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1092-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1092-62-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1172-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1340-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1816-64-0x0000000000000000-mapping.dmp
        Download
      • memory/2004-54-0x0000000075521000-0x0000000075523000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2004-55-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download