Overview

overview

10

Static

static

4535c55b04...05.exe

windows7-x64

10

4535c55b04...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4535c55b04c4cc54aa20efabde0a8ea30cd0a7cac26bd135a91c7ea5b0e67b05.exe

  • Size

    24KB

  • MD5

    fbe611568802d7dec36577c9a214f059

  • SHA1

    7a7a2e1eaf7a88987fb0cc3028f38a4b34b1cfed

  • SHA256

    4535c55b04c4cc54aa20efabde0a8ea30cd0a7cac26bd135a91c7ea5b0e67b05

  • SHA512

    67f202940139c7378fb6528ff822bc118000bdbd9ac334b488bc1fe5c5853744621054d70d1fd71cde6e53e516147dafd98874bb8df06a385d4a5b9eec3568e1

  • SSDEEP

    192:8FES6pYk/gvPNJv+mv+kAUoynYlLvJpNNwD1iT9fF73At4OWQ9r:8v73NvViTuWQl

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4535c55b04c4cc54aa20efabde0a8ea30cd0a7cac26bd135a91c7ea5b0e67b05.exe
    "C:\Users\Admin\AppData\Local\Temp\4535c55b04c4cc54aa20efabde0a8ea30cd0a7cac26bd135a91c7ea5b0e67b05.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:924
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe
      2⤵
      • Executes dropped EXE
      PID:3396
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe /D
      2⤵
      • Executes dropped EXE
      PID:1772
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /t /im k4.exe
      2⤵
        PID:1736
    • C:\Users\Admin\AppData\Local\Temp\4535c55b04c4cc54aa20efabde0a8ea30cd0a7cac26bd135a91c7ea5b0e67b05.exe
      "C:\Users\Admin\AppData\Local\Temp\4535c55b04c4cc54aa20efabde0a8ea30cd0a7cac26bd135a91c7ea5b0e67b05.exe"
      1⤵
      • UAC bypass
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:924
      • C:\Users\Public\Documents\k4.exe
        C:/Users/Public/Documents/k4.exe
        2⤵
        • Executes dropped EXE
        PID:3396
      • C:\Users\Public\Documents\k4.exe
        C:/Users/Public/Documents/k4.exe /D
        2⤵
        • Executes dropped EXE
        PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /t /im k4.exe
        2⤵
          PID:1736

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Documents\Class.dll
        Filesize

        807KB

        MD5

        f3bf8a2c44b6c3972850fbd2d60f8232

        SHA1

        68444b679690b0e5f85f2316d9a046cdae937631

        SHA256

        d710beb7c790e9a9e2b9dae90d9b449a37bccc082144657f96ffe71f2a38a81c

        SHA512

        1c0cb644684a1b9d8de60af42ef9441d82925f24e627cdc73828589fc57d9d2f482685722e692531eda2a11f8d583ddad47edea903a5759b378030fbc7497538

        Download Submit
      • C:\Users\Public\Documents\Class.dll
        Filesize

        807KB

        MD5

        f3bf8a2c44b6c3972850fbd2d60f8232

        SHA1

        68444b679690b0e5f85f2316d9a046cdae937631

        SHA256

        d710beb7c790e9a9e2b9dae90d9b449a37bccc082144657f96ffe71f2a38a81c

        SHA512

        1c0cb644684a1b9d8de60af42ef9441d82925f24e627cdc73828589fc57d9d2f482685722e692531eda2a11f8d583ddad47edea903a5759b378030fbc7497538

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • C:\Users\Public\Documents\k4.exe
        Filesize

        892KB

        MD5

        33e29221e2825001d32f78632217d250

        SHA1

        9122127fc91790a1edb78003e9b58a9b00355ed5

        SHA256

        65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

        SHA512

        01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

        Download Submit
      • memory/924-1483-0x00000000034C0000-0x00000000035C0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/924-1483-0x00000000034C0000-0x00000000035C0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/924-1482-0x0000000010000000-0x00000000100CE000-memory.dmp
        Filesize

        824KB

        Download
      • memory/924-133-0x0000000010000000-0x00000000100CE000-memory.dmp
        Filesize

        824KB

        Download
      • memory/924-138-0x0000000075E50000-0x0000000075ECA000-memory.dmp
        Filesize

        488KB

        Download
      • memory/924-134-0x0000000077260000-0x0000000077403000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/924-137-0x0000000076FE0000-0x0000000077180000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/924-133-0x0000000010000000-0x00000000100CE000-memory.dmp
        Filesize

        824KB

        Download
      • memory/924-134-0x0000000077260000-0x0000000077403000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/924-135-0x0000000075290000-0x00000000754A5000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/924-137-0x0000000076FE0000-0x0000000077180000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/924-138-0x0000000075E50000-0x0000000075ECA000-memory.dmp
        Filesize

        488KB

        Download
      • memory/924-1482-0x0000000010000000-0x00000000100CE000-memory.dmp
        Filesize

        824KB

        Download
      • memory/924-135-0x0000000075290000-0x00000000754A5000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/1736-1489-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-1489-0x0000000000000000-mapping.dmp
        Download
      • memory/1772-1487-0x0000000000000000-mapping.dmp
        Download
      • memory/1772-1487-0x0000000000000000-mapping.dmp
        Download
      • memory/3396-1484-0x0000000000000000-mapping.dmp
        Download
      • memory/3396-1484-0x0000000000000000-mapping.dmp
        Download