Overview

overview

10

Static

static

9

f1a015c0d8...83.exe

windows7_x64

10

f1a015c0d8...83.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    10s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe

  • Size

    93KB

  • MD5

    00161aff7e341a7049d1011270c43211

  • SHA1

    f8d4d89c7245fb6f47bf3dfc14197a97b15f3bcf

  • SHA256

    f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483

  • SHA512

    18631006d93732182253dfadfba1328172a424b00978072b8345f8351a1cff3f9752ad6db40178f459b937ce524265fba3a6c2a836dbdc3aa206d9a87b43cb0d

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • CoreCCC Packer 1 IoCs

    Detects CoreCCC packer used to load .NET malware.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe
    "C:\Users\Admin\AppData\Local\Temp\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2960
      • \??\c:\windows\SysWOW64\cmstp.exe
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ozgtgypf.inf
        3⤵
          PID:4872
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\Windows\temp\4snyh0mn.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Windows\temp\4snyh0mn.exe
          C:\Windows\temp\4snyh0mn.exe
          3⤵
          • Executes dropped EXE
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:2164
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM cmstp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4708

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f1a015c0d8f30aecac2e32e83bc6ad3e1236d3ba709255cb023a740e3fc45483.exe.log
      Filesize

      1KB

      MD5

      400f1cc1a0a0ce1cdabda365ab3368ce

      SHA1

      1ecf683f14271d84f3b6063493dce00ff5f42075

      SHA256

      c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

      SHA512

      14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

      Download Submit
    • C:\Windows\Temp\4snyh0mn.exe
      Filesize

      12KB

      MD5

      f4b5c1ebf4966256f52c4c4ceae87fb1

      SHA1

      ca70ec96d1a65cb2a4cbf4db46042275dc75813b

      SHA256

      88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

      SHA512

      02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

      Download Submit
    • C:\Windows\temp\4snyh0mn.exe
      Filesize

      12KB

      MD5

      f4b5c1ebf4966256f52c4c4ceae87fb1

      SHA1

      ca70ec96d1a65cb2a4cbf4db46042275dc75813b

      SHA256

      88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

      SHA512

      02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

      Download Submit
    • C:\Windows\temp\ozgtgypf.inf
      Filesize

      583B

      MD5

      57f6ada83cf2ff9f81c39a3d11f71e37

      SHA1

      5fb1225a5d35e1dec59b623af008fc3fac0a7a5d

      SHA256

      1bdaedd55555bce1dd79a6427af6ff7eeccaea0bfc55a57b8fee43438c9bfd67

      SHA512

      df2698ef4c81e6dbfd7423e878fd036b7e5bf9ad0800ce6df93bdf7d6a4734db8ad268481dc6f75a6bd57e51580913d39c5b4e9bedf28cf75b6984edce558179

      Download Submit
    • memory/2164-148-0x00007FFDCF950000-0x00007FFDD0411000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2164-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2164-145-0x00000000001C0000-0x00000000001C8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2960-136-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2960-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3156-130-0x0000000000730000-0x000000000074E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3156-134-0x0000000008CF0000-0x0000000008D8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3156-133-0x0000000005490000-0x000000000549A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3156-132-0x00000000054C0000-0x0000000005552000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3156-131-0x00000000058D0000-0x0000000005E74000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4256-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4452-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4708-146-0x0000000000000000-mapping.dmp
      Download
    • memory/4708-147-0x000001B9B9970000-0x000001B9B9992000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4708-149-0x00007FFDCF950000-0x00007FFDD0411000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4872-137-0x0000000000000000-mapping.dmp
      Download