Overview

overview

10

Static

static

70aa626b05...4a.exe

windows7-x64

8

70aa626b05...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70aa626b0591bece87c1074a1cafcdae10ce2904bd55c0b034ca3367e59e9f4a.exe

  • Size

    273KB

  • MD5

    6b62fbffb83368368ffa51e2a4438a94

  • SHA1

    83f358b6f8812699eaf850c1e0ae83acb5d176d9

  • SHA256

    70aa626b0591bece87c1074a1cafcdae10ce2904bd55c0b034ca3367e59e9f4a

  • SHA512

    ddb6c071152bd1bbe72dc50c282d626e225db3766c3b0ee889b6d9b670be8da49fa6607764cdb8be474b560c9df0507b95781074125ea1ec439d1b613c4378ed

  • SSDEEP

    3072:kGu9BlfzWIbXWm+w0Jo5iZCxnBwR8AZxClXgoxqMSzbgEFYtNkx1kqxgbLeJ5j1P:k/0uoCxFArClXdSzvFSNXbK1ArAOFhI

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\70aa626b0591bece87c1074a1cafcdae10ce2904bd55c0b034ca3367e59e9f4a.exe
    "C:\Users\Admin\AppData\Local\Temp\70aa626b0591bece87c1074a1cafcdae10ce2904bd55c0b034ca3367e59e9f4a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh.exe
      2⤵
      • Executes dropped EXE
      PID:4916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe"
        3⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3276
        • C:\Windows\SysWOW64\NvMcTray.exe
          "C:\Windows\system32\NvMcTray.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe "C:\Users\Admin\AppData\Local\Rutimse.dll",Startup
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2076
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe "C:\Users\Admin\AppData\Local\Rutimse.dll",iep
              6⤵
              • Loads dropped DLL
              PID:3036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Rutimse.dll
    Filesize

    79KB

    MD5

    5d1423367447aa893b5205e54afd2b17

    SHA1

    9bc3bd4a25bb9f889b585d461a39b94c177166b0

    SHA256

    c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c

    SHA512

    e3755609e320963576131594acfac101e794ba794cd0cf8e910d6ed9cd004bb58b022fbfde2b9fd2d6e267c20f2c4f081207e967fcc021b532fce81614fb4f61

    Download Submit

  • C:\Users\Admin\AppData\Local\Rutimse.dll
    Filesize

    79KB

    MD5

    5d1423367447aa893b5205e54afd2b17

    SHA1

    9bc3bd4a25bb9f889b585d461a39b94c177166b0

    SHA256

    c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c

    SHA512

    e3755609e320963576131594acfac101e794ba794cd0cf8e910d6ed9cd004bb58b022fbfde2b9fd2d6e267c20f2c4f081207e967fcc021b532fce81614fb4f61

    Download Submit

  • C:\Users\Admin\AppData\Local\Rutimse.dll
    Filesize

    79KB

    MD5

    5d1423367447aa893b5205e54afd2b17

    SHA1

    9bc3bd4a25bb9f889b585d461a39b94c177166b0

    SHA256

    c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c

    SHA512

    e3755609e320963576131594acfac101e794ba794cd0cf8e910d6ed9cd004bb58b022fbfde2b9fd2d6e267c20f2c4f081207e967fcc021b532fce81614fb4f61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe
    Filesize

    394KB

    MD5

    c1a5ba03f0ba9832cc87180a4c4622a5

    SHA1

    b6c0f0588c8efffc48f308dfddecbf6170204dd9

    SHA256

    e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504

    SHA512

    540e6077bf6a8739e9c9b28d609ef453c8a08cef9b81b018271aa7e83455c866e55af20a9545c8f73977d128fee64e1016fb00c4b3016d53925b62f0fb9eaa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe
    Filesize

    394KB

    MD5

    c1a5ba03f0ba9832cc87180a4c4622a5

    SHA1

    b6c0f0588c8efffc48f308dfddecbf6170204dd9

    SHA256

    e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504

    SHA512

    540e6077bf6a8739e9c9b28d609ef453c8a08cef9b81b018271aa7e83455c866e55af20a9545c8f73977d128fee64e1016fb00c4b3016d53925b62f0fb9eaa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\document.exe
    Filesize

    394KB

    MD5

    c1a5ba03f0ba9832cc87180a4c4622a5

    SHA1

    b6c0f0588c8efffc48f308dfddecbf6170204dd9

    SHA256

    e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504

    SHA512

    540e6077bf6a8739e9c9b28d609ef453c8a08cef9b81b018271aa7e83455c866e55af20a9545c8f73977d128fee64e1016fb00c4b3016d53925b62f0fb9eaa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh.exe
    Filesize

    28KB

    MD5

    074728563a5b5eb857b3f365d629b59b

    SHA1

    c78832f7ee345c94f47d9b319834c965a096d3f2

    SHA256

    adec92253a3f64f5ee83d4c3158db8cfff83215a82ea833c109689d5a0d644a4

    SHA512

    0800765f1d7de2a84fe2c6b92e777c008fb5043d857d602235818e8cb57a465068c44f3e6b068fd1ed03d881f4d97a678f940978c3056ad60c6821d3594b64c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hh.exe
    Filesize

    28KB

    MD5

    074728563a5b5eb857b3f365d629b59b

    SHA1

    c78832f7ee345c94f47d9b319834c965a096d3f2

    SHA256

    adec92253a3f64f5ee83d4c3158db8cfff83215a82ea833c109689d5a0d644a4

    SHA512

    0800765f1d7de2a84fe2c6b92e777c008fb5043d857d602235818e8cb57a465068c44f3e6b068fd1ed03d881f4d97a678f940978c3056ad60c6821d3594b64c3

    Download Submit

  • C:\Windows\SysWOW64\NvMcTray.exe
    Filesize

    79KB

    MD5

    590ffc586126fa0cedfc82f8e5e20c56

    SHA1

    afa7091d732bd228cb6ec4af63544ff9eb1233be

    SHA256

    5877a70e36f1d51945837daae394da0275ca57e8acbb725fad992b454b7d16c6

    SHA512

    d4b36ac52fdee2fb243d15b0713c3aab0630b07e6dd821380553bdf0176a0325d83122e3eaa9507bea5c8a068761eebb6c9c82c9e49edb011e952d61a7826a84

    Download Submit

  • C:\Windows\SysWOW64\NvMcTray.exe
    Filesize

    79KB

    MD5

    590ffc586126fa0cedfc82f8e5e20c56

    SHA1

    afa7091d732bd228cb6ec4af63544ff9eb1233be

    SHA256

    5877a70e36f1d51945837daae394da0275ca57e8acbb725fad992b454b7d16c6

    SHA512

    d4b36ac52fdee2fb243d15b0713c3aab0630b07e6dd821380553bdf0176a0325d83122e3eaa9507bea5c8a068761eebb6c9c82c9e49edb011e952d61a7826a84

    Download Submit

  • memory/2076-176-0x00000000013C1000-0x00000000013CF000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2076-173-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2076-172-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3036-183-0x0000000002891000-0x000000000289F000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3276-154-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-145-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-156-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-153-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-157-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-160-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-158-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-159-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-149-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-151-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-140-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-141-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-142-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-144-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-152-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-155-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4500-168-0x0000000002321000-0x000000000232F000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4500-166-0x0000000010001000-0x000000001000D000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4500-165-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4500-164-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4916-135-0x0000000001000000-0x000000000100D000-memory.dmp

    Filesize

    52KB

    Download