Overview

overview

10

Static

static

8

dControl.exe

windows7-x64

10

dControl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2022 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dControl.exe

  • Size

    447KB

  • MD5

    58008524a6473bdf86c1040a9a9e39c3

  • SHA1

    cb704d2e8df80fd3500a5b817966dc262d80ddb8

  • SHA256

    1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

  • SHA512

    8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

  • SSDEEP

    6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\dControl.exe
      C:\Users\Admin\AppData\Local\Temp\dControl.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
      • C:\Users\Admin\AppData\Local\Temp\dControl.exe
        "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
        3⤵
        • Modifies security service
        • Windows security modification
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1688
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220829114740.log C:\Windows\Logs\CBS\CbsPersist_20220829114740.cab
    1⤵
      PID:2036
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /RefreshSystemParam
      1⤵
        PID:904
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /RefreshSystemParam
        1⤵
          PID:568

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1612-55-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1612-57-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1688-60-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1688-61-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1688-62-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/1700-59-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

          Download