Overview

overview

10

Static

static

3c28e0ea15...bc.exe

windows7_x64

10

3c28e0ea15...bc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-07-2022 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc.exe

  • Size

    476KB

  • MD5

    e0b6bbd9bc80c81573743aba3a1494ba

  • SHA1

    4987e7b22170e272232b5ad4935212da4b24f009

  • SHA256

    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

  • SHA512

    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 15 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc.exe
    "C:\Users\Admin\AppData\Local\Temp\3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:992
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\system32\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1748
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\system32\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:1428
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:924
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
    • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
      C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:836
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
        3⤵
          PID:688
          • C:\Windows\system32\sc.exe
            sc stop WinDefend
            4⤵
            • Launches sc.exe
            PID:1360
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
          3⤵
            PID:800
            • C:\Windows\system32\sc.exe
              sc delete WinDefend
              4⤵
              • Launches sc.exe
              PID:700
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            3⤵
              PID:988
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {489BF8C9-B008-422A-955F-4FE77C8D08A1} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
            PID:1088
            • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
              C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
              2⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:1604
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                3⤵
                  PID:1716
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell Set-MpPreference -DisableRealtimeMonitoring $true
                    4⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:684
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
                  3⤵
                    PID:832
                    • C:\Windows\system32\sc.exe
                      sc stop WinDefend
                      4⤵
                      • Launches sc.exe
                      PID:1028
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
                    3⤵
                      PID:1776
                      • C:\Windows\system32\sc.exe
                        sc delete WinDefend
                        4⤵
                        • Launches sc.exe
                        PID:1628
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe
                      3⤵
                        PID:1668

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1819626980-2277161760-1023733287-1000\0f5007522459c86e95ffcc62f32308f1_e0ffcd78-9b22-40d1-a23f-5e55cdd3b217
                    Filesize

                    1KB

                    MD5

                    aaecc604867c044e77829bdfa7817af6

                    SHA1

                    28ab5314fc176e647602cfa31a8960a1c1c81db2

                    SHA256

                    18dfd65da36e4b85743a9b681a108ed35b64f9596acb03d5d037de11b4e31838

                    SHA512

                    f59ea26284e15c220a6dd5c18c38e6e8ae3302ffac7a7e8dcdbf13c02ae90013ac4c02b2b3f9a3f039784fb6f4e2682c1c3476283b2e085a278c099fba5aa177

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                    Filesize

                    7KB

                    MD5

                    2c561b870b1bbb9dc8394b1821cd1bac

                    SHA1

                    3b07d1b6784f50acfc43ccd6cdda0a0920e9a432

                    SHA256

                    74d16beed863b1c0228611107e600f7a073e4a2e2b42c57c65b95f1039effd7b

                    SHA512

                    d25d7eac36d258bcf68e785252894e3de4c5286c67f589fb097db032955170870ea5b04f70e2ea51338883c12841711efaead4255cc7567a04b2a12ab301bde6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
                    Filesize

                    476KB

                    MD5

                    e0b6bbd9bc80c81573743aba3a1494ba

                    SHA1

                    4987e7b22170e272232b5ad4935212da4b24f009

                    SHA256

                    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

                    SHA512

                    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
                    Filesize

                    476KB

                    MD5

                    e0b6bbd9bc80c81573743aba3a1494ba

                    SHA1

                    4987e7b22170e272232b5ad4935212da4b24f009

                    SHA256

                    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

                    SHA512

                    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
                    Filesize

                    476KB

                    MD5

                    e0b6bbd9bc80c81573743aba3a1494ba

                    SHA1

                    4987e7b22170e272232b5ad4935212da4b24f009

                    SHA256

                    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

                    SHA512

                    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

                    Download Submit

                  • \??\PIPE\srvsvc
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit

                  • \Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
                    Filesize

                    476KB

                    MD5

                    e0b6bbd9bc80c81573743aba3a1494ba

                    SHA1

                    4987e7b22170e272232b5ad4935212da4b24f009

                    SHA256

                    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

                    SHA512

                    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

                    Download Submit

                  • \Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
                    Filesize

                    476KB

                    MD5

                    e0b6bbd9bc80c81573743aba3a1494ba

                    SHA1

                    4987e7b22170e272232b5ad4935212da4b24f009

                    SHA256

                    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

                    SHA512

                    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

                    Download Submit

                  • memory/684-135-0x0000000000E9B000-0x0000000000EBA000-memory.dmp

                    Filesize

                    124KB

                    Download

                  • memory/684-134-0x0000000000E94000-0x0000000000E97000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/684-133-0x0000000000E9B000-0x0000000000EBA000-memory.dmp

                    Filesize

                    124KB

                    Download

                  • memory/684-132-0x0000000000E94000-0x0000000000E97000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/684-127-0x000007FEF2D00000-0x000007FEF385D000-memory.dmp

                    Filesize

                    11.4MB

                    Download

                  • memory/684-124-0x000007FEF3860000-0x000007FEF4283000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/684-116-0x0000000000000000-mapping.dmp

                    Download

                  • memory/688-80-0x0000000000000000-mapping.dmp

                    Download

                  • memory/700-93-0x0000000000000000-mapping.dmp

                    Download

                  • memory/780-68-0x0000000000000000-mapping.dmp

                    Download

                  • memory/800-82-0x0000000000000000-mapping.dmp

                    Download

                  • memory/832-114-0x0000000000000000-mapping.dmp

                    Download

                  • memory/836-104-0x00000000028DB000-0x00000000028FA000-memory.dmp

                    Filesize

                    124KB

                    Download

                  • memory/836-103-0x00000000028D4000-0x00000000028D7000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/836-99-0x000000001B720000-0x000000001BA1F000-memory.dmp

                    Filesize

                    3.0MB

                    Download

                  • memory/836-101-0x00000000028D4000-0x00000000028D7000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/836-94-0x000007FEF36A0000-0x000007FEF41FD000-memory.dmp

                    Filesize

                    11.4MB

                    Download

                  • memory/836-81-0x0000000000000000-mapping.dmp

                    Download

                  • memory/836-91-0x000007FEF4200000-0x000007FEF4C23000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/924-72-0x0000000000000000-mapping.dmp

                    Download

                  • memory/988-97-0x0000000010000000-0x000000001001E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/988-95-0x0000000000000000-mapping.dmp

                    Download

                  • memory/992-59-0x0000000000000000-mapping.dmp

                    Download

                  • memory/992-66-0x000007FEF36A0000-0x000007FEF41FD000-memory.dmp

                    Filesize

                    11.4MB

                    Download

                  • memory/992-63-0x000007FEF4200000-0x000007FEF4C23000-memory.dmp

                    Filesize

                    10.1MB

                    Download

                  • memory/992-106-0x000000000243B000-0x000000000245A000-memory.dmp

                    Filesize

                    124KB

                    Download

                  • memory/992-67-0x0000000002434000-0x0000000002437000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/992-105-0x0000000002434000-0x0000000002437000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/992-60-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/992-70-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

                    Filesize

                    3.0MB

                    Download

                  • memory/1028-117-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1112-64-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1220-102-0x0000000001FA0000-0x0000000001FCA000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/1220-74-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1220-89-0x0000000010000000-0x0000000010007000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/1220-84-0x0000000001FA0000-0x0000000001FCA000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/1360-85-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1364-57-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1428-62-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1448-61-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1468-78-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1540-55-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1552-56-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1604-131-0x00000000004C0000-0x00000000004EA000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/1604-110-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1628-120-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1668-126-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1716-113-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1744-108-0x0000000073830000-0x0000000073DDB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1744-107-0x0000000073830000-0x0000000073DDB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1744-79-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1748-58-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1776-115-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1808-69-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1980-65-0x00000000021D0000-0x00000000021FA000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/1980-54-0x00000000768D1000-0x00000000768D3000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1980-100-0x00000000021D0000-0x00000000021FA000-memory.dmp

                    Filesize

                    168KB

                    Download