Overview

overview

10

Static

static

PPPPPPPPPPPPPPP.exe

windows7-x64

10

PPPPPPPPPPPPPPP.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2022 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PPPPPPPPPPPPPPP.exe

  • Size

    60KB

  • MD5

    94406fab156e3ed962899d6a473683c5

  • SHA1

    08ef787ee7264e87abdb1933102ae94a8056a587

  • SHA256

    422c3df285fbd86303eb0448583550d7584a330095c60ada442cb1beb97cf670

  • SHA512

    c5ae7834d4722e7ca702258203f718a00403d76455cfe5e75743f116a4bd0c37ec33dcf89c6f779e8247519ae65e12523fe6bc7aede28a360fbf4687e1b2bba2

  • SSDEEP

    768:DlH3iOcmCQkUF7Q3n8Q37RGC5fBPcKX0hT6tUTNtg3333rIX72s2H3eI2:DlHyOcmCD27c8oN5JPcQQhg3333rdX9

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe
    "C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4984
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe
      2⤵
      • Executes dropped EXE
      PID:1264
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe /D
      2⤵
      • Executes dropped EXE
      PID:3312
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /t /im k4.exe
      2⤵
        PID:3052
    • C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe
      "C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"
      1⤵
      • UAC bypass
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4984
      • C:\Users\Public\Documents\k4.exe
        C:/Users/Public/Documents/k4.exe
        2⤵
        • Executes dropped EXE
        PID:1264
      • C:\Users\Public\Documents\k4.exe
        C:/Users/Public/Documents/k4.exe /D
        2⤵
        • Executes dropped EXE
        PID:3312
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /t /im k4.exe
        2⤵
          PID:3052

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • memory/1264-132-0x0000000000000000-mapping.dmp
        Download
      • memory/1264-132-0x0000000000000000-mapping.dmp
        Download
      • memory/3052-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3052-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3312-135-0x0000000000000000-mapping.dmp
        Download
      • memory/3312-135-0x0000000000000000-mapping.dmp
        Download