Overview

overview

10

Static

static

f26c9ffa3f...86.exe

windows7-x64

10

f26c9ffa3f...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886.exe

  • Size

    136KB

  • MD5

    fb9e829aa297d5563b52bd4c23cea20f

  • SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

  • SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

  • SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

  • SSDEEP

    3072:4HXJr2sw7dtCkGdDYjWL1/jfAv6z1GUOH1wSMBGEbBsM27Pf:4HXh2sw7dtCkdwXz1G3HbB7

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886.exe
    "C:\Users\Admin\AppData\Local\Temp\f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable profile=all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode mode=disable profile=all
        3⤵
        • Modifies Windows Firewall
        PID:1420
    • C:\Users\Admin\AppData\Roaming\win32Runtime.exe
      "C:\Users\Admin\AppData\Roaming\win32Runtime.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3724
      • C:\Users\Admin\AppData\Roaming\rundlll.exe
        "C:\Users\Admin\AppData\Roaming\rundlll.exe"
        3⤵
        • Executes dropped EXE
        PID:3916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable profile=all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3684
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable profile=all
          4⤵
          • Modifies Windows Firewall
          PID:3588
    • C:\Users\Admin\AppData\Roaming\rundlll.exe
      "C:\Users\Admin\AppData\Roaming\rundlll.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3184
    • C:\Users\Admin\AppData\Roaming\AvProtector.exe
      "C:\Users\Admin\AppData\Roaming\AvProtector.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1520
    • C:\Users\Admin\AppData\Roaming\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\scvhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AvProtector.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AvProtector.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rundlll.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rundlll.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rundlll.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\scvhost.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\scvhost.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\win32Runtime.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\win32Runtime.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit