Overview

overview

10

Static

static

bd73c4c13e...d3.exe

windows7-x64

10

bd73c4c13e...d3.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    123s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd73c4c13ebc824c10c9d1aa4a6bb377093b484ddafcf09a47ec0b89ef8f45d3.exe

  • Size

    31KB

  • MD5

    09bc1d1496d8b9f95c980449c7b47dd2

  • SHA1

    7e7d0974c77d2f86e0d3e4e2888780c7b5d6ee59

  • SHA256

    bd73c4c13ebc824c10c9d1aa4a6bb377093b484ddafcf09a47ec0b89ef8f45d3

  • SHA512

    27139faff2e9226a46e7fedbd087fe6d77fa657ce7f8aa870468923436558f9bdad958e35f9319b0a315b0af84e67f49f856ab1920ede9132fbb1da5738b1efe

  • SSDEEP

    768:wL/tTpH9fr5+/yJoVOMTaj7GJDHUlIr5mdnbcuyD7UIuZ:6t59fr+gljqHUyFgnouy8DZ

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd73c4c13ebc824c10c9d1aa4a6bb377093b484ddafcf09a47ec0b89ef8f45d3.exe
    "C:\Users\Admin\AppData\Local\Temp\bd73c4c13ebc824c10c9d1aa4a6bb377093b484ddafcf09a47ec0b89ef8f45d3.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc stop policyagent
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\sc.exe
        sc stop policyagent
        3⤵
        • Launches sc.exe
        PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\7105283.DEP
    Filesize

    12.1MB

    MD5

    3531c067617b03c2de4e736fe75d9dd3

    SHA1

    c6454192d9c21e2920336e1b64a5075f200932e5

    SHA256

    617a06e1129b74951815bb0e48842d69726b46a5d4a7b1cc4dd96bdf0f534a43

    SHA512

    e0da5e95d70208852037db1357fdce1bbd7c509c400a0100e0b20a3367b6d7b3a2ba82cd3e60643c93985f1580e438c84f5986bfa0990aba11c4530aaf423c5b

    Download Submit

  • memory/1648-54-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1648-55-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1648-56-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download