Analysis

  • max time kernel
    178s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 06:39

General

  • Target

    db8deaaefee1927cc7237e8ca9d28f3721336d105253d9858fd0e247261fc067.exe

  • Size

    47KB

  • MD5

    63f83e10075b4c8c5d77439d0db62cd1

  • SHA1

    9142c668c3d48a54af8b5f3cf89e7db5a538c068

  • SHA256

    db8deaaefee1927cc7237e8ca9d28f3721336d105253d9858fd0e247261fc067

  • SHA512

    aa1a64656ed9e4ab9c0ab572fd9edcf40cce6e6fa3f726778b1cf4dc702aab9a1673b34653f808b3b394edfd364e377012566d0abd4cf7535db334e56370af62

  • SSDEEP

    768:p6XSLKmEo9lxZERGo2alk32BwTDAHzA6oGJ69Lj:pWWEov2pIj

Malware Config

Signatures

  • Modifies security service 2 TTPs 3 IoCs
  • Modifies system executable filetype association 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 22 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db8deaaefee1927cc7237e8ca9d28f3721336d105253d9858fd0e247261fc067.exe
    "C:\Users\Admin\AppData\Local\Temp\db8deaaefee1927cc7237e8ca9d28f3721336d105253d9858fd0e247261fc067.exe"
    1⤵
    • Modifies security service
    • Modifies system executable filetype association
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1632
    • C:\Windows\SysWOW64\Cacls.exe
      Cacls "C:\Windows" /p everyone:f /e
      2⤵
        PID:996
      • C:\Windows\SysWOW64\Cacls.exe
        Cacls "C:\Windows" /p everyone:n /e
        2⤵
          PID:1756
        • C:\Windows\SysWOW64\Schtasks.exe
          Schtasks /create /sc onstart /tn ssms /tr "C:\Windows\ssms.exe" /ru System
          2⤵
          • Creates scheduled task(s)
          PID:1712
        • C:\Windows\SysWOW64\Cacls.exe
          Cacls "C:\Windows" /p everyone:f /e
          2⤵
            PID:1140
          • C:\Windows\SysWOW64\Cacls.exe
            Cacls "C:\Windows" /p everyone:n /e
            2⤵
              PID:1564
            • C:\Windows\SysWOW64\Schtasks.exe
              Schtasks /run /tn ssms
              2⤵
                PID:1692
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {22AC9021-533F-48A4-AB26-2AB105CDE741} S-1-5-18:NT AUTHORITY\System:Service:
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1680
              • C:\Windows\ssms.exe
                C:\Windows\ssms.exe
                2⤵
                • Modifies security service
                • Modifies system executable filetype association
                • UAC bypass
                • Windows security bypass
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Sets file execution options in registry
                • Loads dropped DLL
                • Windows security modification
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1828
                • C:\Windows\SysWOW64\Schtasks.exe
                  Schtasks /create /sc onstart /tn ssms /tr "C:\Windows\ssms.exe" /ru System
                  3⤵
                  • Creates scheduled task(s)
                  PID:1052
                • C:\Windows\SysWOW64\Cacls.exe
                  Cacls "C:\Windows" /p everyone:f /e
                  3⤵
                    PID:768
                  • C:\Windows\SysWOW64\Cacls.exe
                    Cacls "C:\Windows" /p everyone:n /e
                    3⤵
                      PID:1468
                    • C:\Windows\SysWOW64\Sab0tagE.exe
                      C:\Windows\System32\Sab0tagE.exe
                      3⤵
                      • Modifies security service
                      • Modifies system executable filetype association
                      • UAC bypass
                      • Windows security bypass
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Sets file execution options in registry
                      • Windows security modification
                      • Adds Run key to start application
                      • Checks whether UAC is enabled
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2012
                      • C:\Windows\SysWOW64\Schtasks.exe
                        Schtasks /create /sc onstart /tn ssms /tr "C:\Windows\ssms.exe" /ru System
                        4⤵
                        • Creates scheduled task(s)
                        PID:2020

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\SysWOW64\Sab0tagE.exe

                  Filesize

                  47KB

                  MD5

                  11b033f096fe729364458aa1e30a40df

                  SHA1

                  b549780efe751c51494614e18fd3df78c0110baf

                  SHA256

                  5f0b47715081542bc970fa435de80d5a86001deef06b6ca2a9272a5247333bfd

                  SHA512

                  4b52e5a5a35f028b34348f2dc816131dcea8836708d6d90a12a6381a0e39a4a2554d85a9581f8d064cc7b7cd5f0998f96e40a5e82aa1715f60f5a992ffd2ba1f

                • C:\Windows\ssms.exe

                  Filesize

                  47KB

                  MD5

                  9185b5c631bb8b7bb674395e57237457

                  SHA1

                  58089d5622881bf30ec7a91119ad1a449118b48f

                  SHA256

                  78b95311e9c269ea1fa4f1577ed59a39727591f97768e5f7c41a6936d1180e94

                  SHA512

                  ed76a7b61b202b3417855696d5d5d6fce8e897be0319a5d5f1adeba0d5f9cb369c64dd8b32d24aac94ded73790199872f12a4c2e7bac9e7ac9d8191a43d8a579

                • C:\Windows\ssms.exe

                  Filesize

                  47KB

                  MD5

                  9185b5c631bb8b7bb674395e57237457

                  SHA1

                  58089d5622881bf30ec7a91119ad1a449118b48f

                  SHA256

                  78b95311e9c269ea1fa4f1577ed59a39727591f97768e5f7c41a6936d1180e94

                  SHA512

                  ed76a7b61b202b3417855696d5d5d6fce8e897be0319a5d5f1adeba0d5f9cb369c64dd8b32d24aac94ded73790199872f12a4c2e7bac9e7ac9d8191a43d8a579

                • C:\Windows\system32\drivers\etc\hosts

                  Filesize

                  1KB

                  MD5

                  4f6b3e8a0ca3a608ebf89fccf149d959

                  SHA1

                  7e611949dcb4581a5b01231d5368047d439d9208

                  SHA256

                  580a43d57f08203a0a5f51c9cc3da4a2d79d3a75bba7a3ceeaa5f6ee25c1e1a3

                  SHA512

                  57c9f597e2138e05eb899b2caed20a55a47edd4b5c9be944ab6bb5f4481cd2e763a6aae25a1fea2e404a1e5134a8bbcc3a1a6aec4f622c319beb8d11487771ea

                • \Windows\SysWOW64\Sab0tagE.exe

                  Filesize

                  47KB

                  MD5

                  11b033f096fe729364458aa1e30a40df

                  SHA1

                  b549780efe751c51494614e18fd3df78c0110baf

                  SHA256

                  5f0b47715081542bc970fa435de80d5a86001deef06b6ca2a9272a5247333bfd

                  SHA512

                  4b52e5a5a35f028b34348f2dc816131dcea8836708d6d90a12a6381a0e39a4a2554d85a9581f8d064cc7b7cd5f0998f96e40a5e82aa1715f60f5a992ffd2ba1f

                • \Windows\SysWOW64\Sab0tagE.exe

                  Filesize

                  47KB

                  MD5

                  11b033f096fe729364458aa1e30a40df

                  SHA1

                  b549780efe751c51494614e18fd3df78c0110baf

                  SHA256

                  5f0b47715081542bc970fa435de80d5a86001deef06b6ca2a9272a5247333bfd

                  SHA512

                  4b52e5a5a35f028b34348f2dc816131dcea8836708d6d90a12a6381a0e39a4a2554d85a9581f8d064cc7b7cd5f0998f96e40a5e82aa1715f60f5a992ffd2ba1f

                • memory/1632-65-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB

                • memory/1632-59-0x0000000075B41000-0x0000000075B43000-memory.dmp

                  Filesize

                  8KB

                • memory/1632-56-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB

                • memory/1632-62-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB

                • memory/1828-71-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB

                • memory/1828-87-0x00000000003D0000-0x00000000003DE000-memory.dmp

                  Filesize

                  56KB

                • memory/1828-88-0x00000000003D0000-0x00000000003DE000-memory.dmp

                  Filesize

                  56KB

                • memory/1828-89-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB

                • memory/1828-90-0x00000000003D0000-0x00000000003DE000-memory.dmp

                  Filesize

                  56KB

                • memory/2012-85-0x0000000000400000-0x000000000040E000-memory.dmp

                  Filesize

                  56KB