Overview

overview

8

Static

static

9044ebb75d...1d.exe

windows7-x64

8

9044ebb75d...1d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe

  • Size

    77KB

  • MD5

    80d8de34a72a246cc00b87cd0dc6f7ad

  • SHA1

    c0284a340a09b9ed97ed1a18e90f11573dc4aa6d

  • SHA256

    9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d

  • SHA512

    9a9337a8f247bbb55fc08ec6582ab3b630ed1ff0ae9c92c116a73937f4e49829dd77001c86fffa61babd6db057e035a46afe77af8ad068cf302e4f8fdbfcabf5

  • SSDEEP

    1536:osyqFgD9LMz6UQWEmug3vE/YqYdXobsFz+YsvOV4CZX5Q01W65F:oJBff3YDdXobswYsmZpQ01NF

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 36 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 24 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 3 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
    "C:\Users\Admin\AppData\Local\Temp\9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig.exe
      2⤵
      • Gathers network information
      PID:4632
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\usbinckey.dll,DelInterface C:\Users\Admin\AppData\Local\Temp\9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
      2⤵
      • Loads dropped DLL
      PID:4928
  • C:\Windows\SysWOW64\cardctrl.exe
    C:\Windows\SysWOW64\cardctrl.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig.exe
      2⤵
      • Gathers network information
      PID:4308
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\usbinckey.dll,GetInterface
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\cardctrl.exe
    Filesize

    77KB

    MD5

    80d8de34a72a246cc00b87cd0dc6f7ad

    SHA1

    c0284a340a09b9ed97ed1a18e90f11573dc4aa6d

    SHA256

    9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d

    SHA512

    9a9337a8f247bbb55fc08ec6582ab3b630ed1ff0ae9c92c116a73937f4e49829dd77001c86fffa61babd6db057e035a46afe77af8ad068cf302e4f8fdbfcabf5

    Download Submit

  • C:\Windows\SysWOW64\cardctrl.exe
    Filesize

    77KB

    MD5

    80d8de34a72a246cc00b87cd0dc6f7ad

    SHA1

    c0284a340a09b9ed97ed1a18e90f11573dc4aa6d

    SHA256

    9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d

    SHA512

    9a9337a8f247bbb55fc08ec6582ab3b630ed1ff0ae9c92c116a73937f4e49829dd77001c86fffa61babd6db057e035a46afe77af8ad068cf302e4f8fdbfcabf5

    Download Submit

  • C:\Windows\SysWOW64\usbinckey.dll
    Filesize

    43KB

    MD5

    7ab16973c0e72adda99fa094434913ff

    SHA1

    75c02a9da9e4b3175d53c9baaecb191174f4412c

    SHA256

    1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

    SHA512

    48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

    Download Submit

  • C:\Windows\SysWOW64\usbinckey.dll
    Filesize

    43KB

    MD5

    7ab16973c0e72adda99fa094434913ff

    SHA1

    75c02a9da9e4b3175d53c9baaecb191174f4412c

    SHA256

    1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

    SHA512

    48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

    Download Submit

  • C:\Windows\SysWOW64\usbinckey.dll
    Filesize

    43KB

    MD5

    7ab16973c0e72adda99fa094434913ff

    SHA1

    75c02a9da9e4b3175d53c9baaecb191174f4412c

    SHA256

    1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

    SHA512

    48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

    Download Submit

  • memory/876-136-0x0000000000000000-mapping.dmp

    Download

  • memory/876-143-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2492-139-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3868-137-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4308-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4632-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4928-138-0x0000000000000000-mapping.dmp

    Download