Overview

overview

10

Static

static

9ca4b65460...c2.exe

windows7-x64

10

9ca4b65460...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 05:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9ca4b654603c6266e60733e0e8d48923030a4d88bf868ec834056d3364f45cc2.exe

  • Size

    632KB

  • MD5

    bf099968fc7ce73ffdff783af36363c0

  • SHA1

    4c8904a19495aad27409474d4062b8a5a343e3a3

  • SHA256

    9ca4b654603c6266e60733e0e8d48923030a4d88bf868ec834056d3364f45cc2

  • SHA512

    d42d4c9c3a67fcf2c645a7121cf7c55a077024e25182013f90a826949f8ccf30f52f7526d4d8bfd49d2b194aa8914cb2d9492f6f7cb9ff4fa8c2fb0f317a205d

  • SSDEEP

    6144://na4LMTT71lbyD+SEykUKSSZNQkqp6wlfpIzQE3HH4Y5cm/9pBWF2fiiO7zM/iy:3naSMTT71MKSErYwwgzHHYdTiO8/Ui

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables taskbar notifications via registry modification
    evasion
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ca4b654603c6266e60733e0e8d48923030a4d88bf868ec834056d3364f45cc2.exe
    "C:\Users\Admin\AppData\Local\Temp\9ca4b654603c6266e60733e0e8d48923030a4d88bf868ec834056d3364f45cc2.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • System policy modification
    PID:2008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 536
      2⤵
      • Program crash
      PID:1648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 540
      2⤵
      • Program crash
      PID:2768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 716
      2⤵
      • Program crash
      PID:2856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 740
      2⤵
      • Program crash
      PID:2352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 788
      2⤵
      • Program crash
      PID:3708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 796
      2⤵
      • Program crash
      PID:1088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 820
      2⤵
      • Program crash
      PID:3200
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 736
      2⤵
      • Program crash
      PID:3756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 740
      2⤵
      • Program crash
      PID:456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2008 -ip 2008
    1⤵
      PID:384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2008 -ip 2008
      1⤵
        PID:628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2008 -ip 2008
        1⤵
          PID:3448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2008 -ip 2008
          1⤵
            PID:1784
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2008 -ip 2008
            1⤵
              PID:1552
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2008 -ip 2008
              1⤵
                PID:4752
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2008 -ip 2008
                1⤵
                  PID:2096
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2008 -ip 2008
                  1⤵
                    PID:5072
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2008 -ip 2008
                    1⤵
                      PID:4724

                    Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/2008-132-0x0000000000400000-0x00000000007A3000-memory.dmp

                            Filesize

                            3.6MB

                            Download

                          • memory/2008-133-0x0000000000400000-0x00000000007A3000-memory.dmp

                            Filesize

                            3.6MB

                            Download

                          • memory/2008-134-0x0000000000820000-0x0000000000823000-memory.dmp

                            Filesize

                            12KB

                            Download