Overview

overview

10

Static

static

83f71770cf...25.exe

windows7-x64

10

83f71770cf...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe

  • Size

    120KB

  • MD5

    d550edee505e87d20bb5dcabc50812e4

  • SHA1

    ea302cf5482451c2e6f77e89f96032dc39203ca6

  • SHA256

    83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25

  • SHA512

    cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168

  • SSDEEP

    3072:ImjvpwkOIm1m1m1m1m1m1mP4p4YROPCM4msWHGm0H9p8yqa9uIe5AV5L1m1m1m1V:BAzkzm0YnRPI55

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe
    "C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe
      "C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:460
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          4⤵
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Drops startup file
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1304
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\Melt.bat
        3⤵
          PID:1696

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Melt.bat
      Filesize

      179B

      MD5

      5a784d526aabdcc2b9a6638deb81712b

      SHA1

      d2aecaf1489f519b779bc65a46e7ab6e9423b221

      SHA256

      52385805cb3e5c65dbc388ef15a6facc59f23ed36cb25806c4c615b7511c8873

      SHA512

      8112ab517f00f7d8bfc597ca23829f11163ab6b53c3b443a17401a3048d17fbc0f74e291886013ec37cce02235d9d8d83ea6f00c1920fadc031aef54e82b0a7e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      120KB

      MD5

      d550edee505e87d20bb5dcabc50812e4

      SHA1

      ea302cf5482451c2e6f77e89f96032dc39203ca6

      SHA256

      83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25

      SHA512

      cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      120KB

      MD5

      d550edee505e87d20bb5dcabc50812e4

      SHA1

      ea302cf5482451c2e6f77e89f96032dc39203ca6

      SHA256

      83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25

      SHA512

      cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      120KB

      MD5

      d550edee505e87d20bb5dcabc50812e4

      SHA1

      ea302cf5482451c2e6f77e89f96032dc39203ca6

      SHA256

      83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25

      SHA512

      cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168

      Download Submit
    • \Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      120KB

      MD5

      d550edee505e87d20bb5dcabc50812e4

      SHA1

      ea302cf5482451c2e6f77e89f96032dc39203ca6

      SHA256

      83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25

      SHA512

      cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168

      Download Submit
    • \Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      120KB

      MD5

      d550edee505e87d20bb5dcabc50812e4

      SHA1

      ea302cf5482451c2e6f77e89f96032dc39203ca6

      SHA256

      83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25

      SHA512

      cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168

      Download Submit
    • memory/268-69-0x0000000000000000-mapping.dmp
      Download
    • memory/460-65-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/460-62-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/460-60-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/460-57-0x0000000000000000-mapping.dmp
      Download
    • memory/460-84-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1132-56-0x00000000761E1000-0x00000000761E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1132-58-0x0000000000260000-0x0000000000266000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1304-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1304-86-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1696-81-0x0000000000000000-mapping.dmp
      Download