Overview

overview

10

Static

static

2086b8409e...4a.exe

windows7-x64

10

2086b8409e...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2022 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe

  • Size

    24KB

  • MD5

    046fb6d83046827da18086aa6ac523aa

  • SHA1

    945ceb168b4b5f207aa9e516584c32de29bb650c

  • SHA256

    2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a

  • SHA512

    3c9477c45f95b7815729d7e7ced5427e176d929d8f31f163de5b502e9189ddd5d07a88d6b3b9323a99898672587ba7b071dd8f3691690191f7a4907f26b170b3

  • SSDEEP

    192:8FES6pYk/gvPNJv+mv+kAUoynYlLvJpNNwD1iT9fF73At4EaQ9r:8v73NvViTkaQl

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe
    "C:\Users\Admin\AppData\Local\Temp\2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1084
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe
      2⤵
      • Executes dropped EXE
      PID:2028
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe /D
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /t /im k4.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im k4.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852
  • C:\Users\Admin\AppData\Local\Temp\2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe
    "C:\Users\Admin\AppData\Local\Temp\2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1084
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe
      2⤵
      • Executes dropped EXE
      PID:2028
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe /D
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /t /im k4.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im k4.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • C:\Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • C:\Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • C:\Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • C:\Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • C:\Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • \Users\Public\Documents\Class.dll
    Filesize

    47KB

    MD5

    489c64a28a4295f0927e530632af0c34

    SHA1

    7787a8a54513c590bb9ac8539229efc508cee774

    SHA256

    3bccac3eb915a400ada9ef06c9b576a330e217a5a35f8c8c87612c0273b276c6

    SHA512

    c82f242762f0bff06fc85fa4710681fee7538643da546990bca19befcd375ac03e5cf7fa4acc234bee401df4be95ac33933b0c6f6adb2868c23ac3cbe9fd806f

    Download Submit
  • \Users\Public\Documents\Class.dll
    Filesize

    47KB

    MD5

    489c64a28a4295f0927e530632af0c34

    SHA1

    7787a8a54513c590bb9ac8539229efc508cee774

    SHA256

    3bccac3eb915a400ada9ef06c9b576a330e217a5a35f8c8c87612c0273b276c6

    SHA512

    c82f242762f0bff06fc85fa4710681fee7538643da546990bca19befcd375ac03e5cf7fa4acc234bee401df4be95ac33933b0c6f6adb2868c23ac3cbe9fd806f

    Download Submit
  • \Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • \Users\Public\Documents\k4.exe
    Filesize

    892KB

    MD5

    33e29221e2825001d32f78632217d250

    SHA1

    9122127fc91790a1edb78003e9b58a9b00355ed5

    SHA256

    65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

    SHA512

    01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

    Download Submit
  • memory/852-65-0x0000000000000000-mapping.dmp
    Download
  • memory/852-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1084-54-0x0000000074C91000-0x0000000074C93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1084-54-0x0000000074C91000-0x0000000074C93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1756-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1756-64-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-57-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2028-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2028-57-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-61-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-61-0x0000000000000000-mapping.dmp
    Download