Overview

overview

10

Static

static

8

6c1924802d...94.exe

windows7-x64

10

6c1924802d...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe

  • Size

    1.2MB

  • MD5

    5dd8c30bc07c101fe8d172a8ef56b9a6

  • SHA1

    7b7cb85e277ab2cb46f28d36669ece099469af98

  • SHA256

    6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94

  • SHA512

    1c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec

  • SSDEEP

    1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe
    "C:\Users\Admin\AppData\Local\Temp\6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • UAC bypass
        • Windows security bypass
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

7
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    8cd381eca2d5342e36b1e65a9b7f82d5

    SHA1

    d9b529576e1ea26e8daf88fcda26b7a0069da217

    SHA256

    17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

    SHA512

    c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    8641ac0a62e1e72023be75ceed4638a9

    SHA1

    a347dbd79e99d81cdd6ec77783008fec9f7e7d42

    SHA256

    d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

    SHA512

    9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    c11e7a53177ce13df4c7c648d698951d

    SHA1

    ae714a4b4211b7cebef4596f1bc14a589400331a

    SHA256

    26e56b00f1287178b4eccb10f2e8c58c9198a280fff926393a9ef6554ca604df

    SHA512

    049643b2838ef601ac642417cfeb86d911f7a8c75e75b1ef34e0896d4b44b369ae3d6768c854211f9d62b42489c3e595f6ab5c4d0fed6d64a9ab5becf43b818d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    3118222a131f034a6cdfa2c287e70535

    SHA1

    91cc98e2b51a8aa6b7ee3dae852f8a68756c4d80

    SHA256

    3694036d119bfbddb934875e6b135b64fb5722f900d74aacb2825563fd472edf

    SHA512

    35980f493700ec72fec64ea471b4e758833138c79bc2f5d733c6e232be48e3ae30bca49a8717049eaf708a6b199269ce33fcc6fbf7bbdd70c2bc1bf8782bc545

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    67969e031a3bf062e3e3e872c977bd6a

    SHA1

    8ea4ed17be5cfbc47f37c174645bceb13404e143

    SHA256

    45afed9ca1c70030a1902b1cc799336632cc8e1fdb159e5c9724d9523c4d7826

    SHA512

    565b9f16d3c9775cf9c92a477f0ffef38c8443ab5f493f571fba8a713658de676dbfbc6e377827262730174f9b6ec92b05a2b80f019955084daeeebb63f60100

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.2MB

    MD5

    5dd8c30bc07c101fe8d172a8ef56b9a6

    SHA1

    7b7cb85e277ab2cb46f28d36669ece099469af98

    SHA256

    6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94

    SHA512

    1c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.2MB

    MD5

    5dd8c30bc07c101fe8d172a8ef56b9a6

    SHA1

    7b7cb85e277ab2cb46f28d36669ece099469af98

    SHA256

    6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94

    SHA512

    1c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.2MB

    MD5

    5dd8c30bc07c101fe8d172a8ef56b9a6

    SHA1

    7b7cb85e277ab2cb46f28d36669ece099469af98

    SHA256

    6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94

    SHA512

    1c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec

    Download Submit
  • memory/896-141-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/896-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-132-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1568-138-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1724-146-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1724-147-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1724-150-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1724-143-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1724-142-0x0000000000000000-mapping.dmp
    Download