Overview

overview

10

Static

static

b266716ff4...50.exe

windows7_x64

10

b266716ff4...50.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950.exe

  • Size

    603KB

  • MD5

    202a640b5da9a32d7050cf39eb0f7726

  • SHA1

    d499984e6bd951514997ded82485e10844b329f6

  • SHA256

    b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

  • SHA512

    20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • NTFS ADS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950.exe
    "C:\Users\Admin\AppData\Local\Temp\b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe" "Dllhost.exe" ENABLE
        3⤵
          PID:3080
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • Modifies registry key
            PID:4616
        • C:\Windows\SysWOW64\netsh.exe
          netsh.exe firewall set opmode disable
          3⤵
            PID:2696

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Isolated Storage\{45007100-4A00-5000-6F00-380074006A00}
        Filesize

        384B

        MD5

        3d89818039ddcebca67f70506b37dc9c

        SHA1

        82ecc3edc666019a0be66c9add2b9ea8e8ddfd12

        SHA256

        516937956393d78cde752d6a2835b7098ea725595210394b1c1498eee2206d43

        SHA512

        3e26de541507523d47a75cbacedb965364598bdb6d3fd79fe6cff57a4a8371a593201323bdfd77e731e8352d8a2be643f83f00433f267ad7c96603ede086d615

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
        Filesize

        603KB

        MD5

        202a640b5da9a32d7050cf39eb0f7726

        SHA1

        d499984e6bd951514997ded82485e10844b329f6

        SHA256

        b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

        SHA512

        20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\InstallDir\Dllhost.exe
        Filesize

        603KB

        MD5

        202a640b5da9a32d7050cf39eb0f7726

        SHA1

        d499984e6bd951514997ded82485e10844b329f6

        SHA256

        b266716ff41ca7d2a05994174c5f75083081c9dfd5b6fb8abb7f2a7c0e373950

        SHA512

        20d46542201adab3da36a971f35cee594036ec3164bc990f9b7bba3b8a8d82c69e323a7b445b9a4045e4e3266e70e1b885d7c78e30ca34bdb111b2966ddb41c0

        Download Submit
      • C:\odt:{78006D00-6900-3500-4D00-470059004100}
        Filesize

        472B

        MD5

        931d83969d8691ab9c5f5dc8b7ae05c7

        SHA1

        fa91ccfac4ab90c41213ec894a4499622c4927cd

        SHA256

        621d7cdd32efaa9c095f2532802431bd15b8de7851343bdd133f97c213d03fb0

        SHA512

        f67ed3004ec4a5a9d4291df2881612aab49113a6b31366d328b5ff28a9577716b3fb7c72628a2db153fb736603a1ca02e40b1488aeb02fd4eb26d2b53207c7c6

        Download Submit
      • memory/2212-130-0x0000000074BC0000-0x0000000075171000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2696-140-0x0000000000000000-mapping.dmp
        Download
      • memory/3080-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4616-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4840-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4896-131-0x0000000000000000-mapping.dmp
        Download
      • memory/4896-136-0x0000000074BC0000-0x0000000075171000-memory.dmp
        Filesize

        5.7MB

        Download