Overview

overview

10

Static

static

8

596d29b856...a2.exe

windows7-x64

10

596d29b856...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    596d29b8563a1382954a5f845fe17e324b940e5a02d2f3d4c3d9782b8561d0a2.exe

  • Size

    1.7MB

  • MD5

    4067b8f337c4b4e2f859894e2d353a6e

  • SHA1

    bb5f53cdf274ebb0c38dd6fa6ec53c6731dfffde

  • SHA256

    596d29b8563a1382954a5f845fe17e324b940e5a02d2f3d4c3d9782b8561d0a2

  • SHA512

    5444291420309b8a65d14b6f434f92acee8c038b55898b2a0c5383b5b26a88d6e377c05e6079c7b74fb84bd237889cc56bd98c0ceb44698a38f974a875d458b6

  • SSDEEP

    49152:tTu0LSVHASxN9aD7sOP93ZPaZRNsa95ZN5T:ty0mVgSxa872av9

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 21 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\596d29b8563a1382954a5f845fe17e324b940e5a02d2f3d4c3d9782b8561d0a2.exe
    "C:\Users\Admin\AppData\Local\Temp\596d29b8563a1382954a5f845fe17e324b940e5a02d2f3d4c3d9782b8561d0a2.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Identifies Wine through registry keys
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:388
    • C:\Users\Admin\AppData\Local\Temp\Winlogon.exe
      C:\Users\Admin\AppData\Local\Temp\Winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Adds policy Run key to start application
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3256
      • C:\Windows\SysWOW64\reg.exe
        reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f
        3⤵
        • Disables RegEdit via registry modification
        • Modifies registry key
        PID:3876
      • C:\Windows\SysWOW64\sc.exe
        sc stop SharedAccess
        3⤵
        • Launches sc.exe
        PID:2108
      • C:\Windows\SysWOW64\net.exe
        net stop wscsvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop wscsvc
          4⤵
            PID:4432
      • C:\Users\Admin\AppData\Local\Temp\41125.exe
        C:\Users\Admin\AppData\Local\Temp\41125.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb+!
          3⤵
          • Executes dropped EXE
          PID:4572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\41125.exe
      Filesize

      1.6MB

      MD5

      43f7305c2e5dd4a8f3c5abeb2ffe4833

      SHA1

      03bda624ab7f0d7cb9ada41a960c35c0152f98fd

      SHA256

      267304efcc831e35927c1f25d610d36fb64121d108a6f4ff0168c53df01e2b16

      SHA512

      e24072f1b5b102fbd52126396854463ff07d8d0efce1d922ed99acd0369cff163e415abc1faeaf559ef7898e5f82945db544a0f425db0db42696282d0acd7c7c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\41125.exe
      Filesize

      1.6MB

      MD5

      43f7305c2e5dd4a8f3c5abeb2ffe4833

      SHA1

      03bda624ab7f0d7cb9ada41a960c35c0152f98fd

      SHA256

      267304efcc831e35927c1f25d610d36fb64121d108a6f4ff0168c53df01e2b16

      SHA512

      e24072f1b5b102fbd52126396854463ff07d8d0efce1d922ed99acd0369cff163e415abc1faeaf559ef7898e5f82945db544a0f425db0db42696282d0acd7c7c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe
      Filesize

      36KB

      MD5

      5e9189e28544286137eb313100835892

      SHA1

      a8ae60ab85015e70a2cdf171919b3296b5b831d1

      SHA256

      a68d8931dc6ddf89cd36374f1fa5a01aaca3fb4694610cd9ef1ff62d53332515

      SHA512

      11eb6914b78738517b483ad21bc0282c78580b5bf7f9c9abc6570fedb5d82775cda2cb629c7c37e636937637103cb19d282b6e3175bfc1edf6e0484f1810b52c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msiinst.exe
      Filesize

      36KB

      MD5

      5e9189e28544286137eb313100835892

      SHA1

      a8ae60ab85015e70a2cdf171919b3296b5b831d1

      SHA256

      a68d8931dc6ddf89cd36374f1fa5a01aaca3fb4694610cd9ef1ff62d53332515

      SHA512

      11eb6914b78738517b483ad21bc0282c78580b5bf7f9c9abc6570fedb5d82775cda2cb629c7c37e636937637103cb19d282b6e3175bfc1edf6e0484f1810b52c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Winlogon.exe
      Filesize

      1.7MB

      MD5

      4067b8f337c4b4e2f859894e2d353a6e

      SHA1

      bb5f53cdf274ebb0c38dd6fa6ec53c6731dfffde

      SHA256

      596d29b8563a1382954a5f845fe17e324b940e5a02d2f3d4c3d9782b8561d0a2

      SHA512

      5444291420309b8a65d14b6f434f92acee8c038b55898b2a0c5383b5b26a88d6e377c05e6079c7b74fb84bd237889cc56bd98c0ceb44698a38f974a875d458b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Winlogon.exe
      Filesize

      1.7MB

      MD5

      4067b8f337c4b4e2f859894e2d353a6e

      SHA1

      bb5f53cdf274ebb0c38dd6fa6ec53c6731dfffde

      SHA256

      596d29b8563a1382954a5f845fe17e324b940e5a02d2f3d4c3d9782b8561d0a2

      SHA512

      5444291420309b8a65d14b6f434f92acee8c038b55898b2a0c5383b5b26a88d6e377c05e6079c7b74fb84bd237889cc56bd98c0ceb44698a38f974a875d458b6

      Download Submit

    • memory/388-132-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/388-150-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/388-146-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/856-143-0x0000000000000000-mapping.dmp

      Download

    • memory/2108-142-0x0000000000000000-mapping.dmp

      Download

    • memory/3256-140-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/3256-145-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/3256-135-0x0000000000000000-mapping.dmp

      Download

    • memory/3876-141-0x0000000000000000-mapping.dmp

      Download

    • memory/4432-144-0x0000000000000000-mapping.dmp

      Download

    • memory/4572-151-0x0000000000000000-mapping.dmp

      Download

    • memory/5100-147-0x0000000000000000-mapping.dmp

      Download