Overview

overview

10

Static

static

3c28e0ea15...bc.exe

windows7_x64

10

3c28e0ea15...bc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-07-2022 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc.exe

  • Size

    476KB

  • MD5

    e0b6bbd9bc80c81573743aba3a1494ba

  • SHA1

    4987e7b22170e272232b5ad4935212da4b24f009

  • SHA256

    3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

  • SHA512

    cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 15 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc.exe
    "C:\Users\Admin\AppData\Local\Temp\3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4432
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\system32\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:4392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\system32\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:2064
    • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
      C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:176
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\system32\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          PID:212
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3808
        • C:\Windows\system32\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          PID:3984
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4128
    • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
      C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
      1⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3836
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Windows\system32\sc.exe
          sc stop WinDefend
          3⤵
          • Launches sc.exe
          PID:3208
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
        2⤵
          PID:4748
          • C:\Windows\system32\sc.exe
            sc delete WinDefend
            3⤵
            • Launches sc.exe
            PID:2756
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:4752

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          3a6bad9528f8e23fb5c77fbd81fa28e8

          SHA1

          f127317c3bc6407f536c0f0600dcbcf1aabfba36

          SHA256

          986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

          SHA512

          846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\0f5007522459c86e95ffcc62f32308f1_6bb404a8-25bc-4cef-a831-797f8d1e89c0
          Filesize

          1KB

          MD5

          8bd11bd682fb305eb26142d4a485b5cc

          SHA1

          6a46f2e5255699a80ff721693e63c031c6cbe428

          SHA256

          e84a12d55e6e7204e25513f6d94357e7c95098b95b9de1f111461c819849a8dd

          SHA512

          d4927b94592ca90e0a18ac787057c92001c964067886dd6324a73e94cdd182f58cc970305a6d9899d6725fbb2457c954c295bc505d60efe5d19f77f02a49457d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
          Filesize

          476KB

          MD5

          e0b6bbd9bc80c81573743aba3a1494ba

          SHA1

          4987e7b22170e272232b5ad4935212da4b24f009

          SHA256

          3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

          SHA512

          cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

          Download Submit

        • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
          Filesize

          476KB

          MD5

          e0b6bbd9bc80c81573743aba3a1494ba

          SHA1

          4987e7b22170e272232b5ad4935212da4b24f009

          SHA256

          3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

          SHA512

          cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

          Download Submit

        • C:\Users\Admin\AppData\Roaming\diskram\3c28e0ea1790a299b038aa09fa9197a272bf708cc89843021949c908dad1b8bc.exe
          Filesize

          476KB

          MD5

          e0b6bbd9bc80c81573743aba3a1494ba

          SHA1

          4987e7b22170e272232b5ad4935212da4b24f009

          SHA256

          3c28e0ea1590a299b036aa07fa7175a252bf506cc69843021747c906dad1b6bc

          SHA512

          cbacf11bc04099ccbb9c540b4145568ebda3d49b7f053d90f993bf9e29f07950942f032d7bd092adaabebabe6be89a19fe890005957f06fa34c7adc9a4f42715

          Download Submit

        • memory/176-157-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/176-162-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3836-179-0x0000015567AA0000-0x0000015567ABC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3836-185-0x0000015567B20000-0x0000015567B3A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3836-189-0x00007FFE534A0000-0x00007FFE53F61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3836-188-0x0000015567B10000-0x0000015567B1A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3836-180-0x00007FFE534A0000-0x00007FFE53F61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3836-187-0x0000015567B00000-0x0000015567B06000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3836-181-0x000001554F640000-0x000001554F64A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3836-186-0x0000015567AD0000-0x0000015567AD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3836-182-0x00007FFE534A0000-0x00007FFE53F61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3836-183-0x0000015567AE0000-0x0000015567AFC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3836-184-0x0000015567AC0000-0x0000015567ACA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3940-178-0x0000000000DB0000-0x0000000000DDA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3988-145-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3988-159-0x0000000001FC0000-0x0000000001FEA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4128-150-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4380-156-0x0000000002220000-0x000000000224A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4432-139-0x00000205B36C0000-0x00000205B36E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4432-158-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4432-155-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

          Filesize

          10.8MB

          Download