d69ab6b8780792026dc20e123afbb0e8eab342cbe19b705cb2e1e03d19551986

Analysis

max time kernel
11s
max time network
10s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 06:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

09490699.exe
Size

4.2MB
MD5

3aab057312f4f899b322f3f282eba2f3
SHA1

53907d8c91acd85e53c058562a7f61e998bd9002
SHA256

d69ab6b8780792026dc20e123afbb0e8eab342cbe19b705cb2e1e03d19551986
SHA512

fc0a9d718e0d6a7e2f03add1ec9511d38c9d13a7ed10afa974f63d7db8ff09e1a6b79f0a6e025d15a1993451d93177932fa5b6868a9f886324d71af040b128d5
SSDEEP

98304:l7uFXK3RGjr6hbrFjuj6gOzZPuGjr6hbrFjuj6gOzZP:lIK3Q36tpjuj6gYP736tpjuj6gYP

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\dcrypt.sys	dcinst.exe
File opened for modification	C:\Windows\system32\drivers\dcrypt.sys	dcinst.exe

Executes dropped EXE 2 IoCs

pid	Process
616	13.exe
1804	dcinst.exe

Loads dropped DLL 4 IoCs

pid	Process
272	cmd.exe
616	13.exe
1980	09490699.exe
1804	dcinst.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	616	13.exe
Token: 35	616	13.exe
Token: SeSecurityPrivilege	616	13.exe
Token: SeSecurityPrivilege	616	13.exe
Token: SeShutdownPrivilege	2016	shutdown.exe
Token: SeRemoteShutdownPrivilege	2016	shutdown.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1992	1052	09490699.exe	29
PID 1052 wrote to memory of 1992	1052	09490699.exe	29
PID 1052 wrote to memory of 1992	1052	09490699.exe	29
PID 1052 wrote to memory of 1992	1052	09490699.exe	29
PID 1992 wrote to memory of 2000	1992	cmd.exe	30
PID 1992 wrote to memory of 2000	1992	cmd.exe	30
PID 1992 wrote to memory of 2000	1992	cmd.exe	30
PID 1992 wrote to memory of 2000	1992	cmd.exe	30
PID 2000 wrote to memory of 904	2000	net.exe	31
PID 2000 wrote to memory of 904	2000	net.exe	31
PID 2000 wrote to memory of 904	2000	net.exe	31
PID 2000 wrote to memory of 904	2000	net.exe	31
PID 1980 wrote to memory of 272	1980	09490699.exe	33
PID 1980 wrote to memory of 272	1980	09490699.exe	33
PID 1980 wrote to memory of 272	1980	09490699.exe	33
PID 1980 wrote to memory of 272	1980	09490699.exe	33
PID 272 wrote to memory of 616	272	cmd.exe	35
PID 272 wrote to memory of 616	272	cmd.exe	35
PID 272 wrote to memory of 616	272	cmd.exe	35
PID 272 wrote to memory of 616	272	cmd.exe	35
PID 1980 wrote to memory of 752	1980	09490699.exe	36
PID 1980 wrote to memory of 752	1980	09490699.exe	36
PID 1980 wrote to memory of 752	1980	09490699.exe	36
PID 1980 wrote to memory of 752	1980	09490699.exe	36
PID 1980 wrote to memory of 1804	1980	09490699.exe	38
PID 1980 wrote to memory of 1804	1980	09490699.exe	38
PID 1980 wrote to memory of 1804	1980	09490699.exe	38
PID 1980 wrote to memory of 1804	1980	09490699.exe	38
PID 1980 wrote to memory of 2016	1980	09490699.exe	39
PID 1980 wrote to memory of 2016	1980	09490699.exe	39
PID 1980 wrote to memory of 2016	1980	09490699.exe	39
PID 1980 wrote to memory of 2016	1980	09490699.exe	39

C:\Users\Admin\AppData\Local\Temp\09490699.exe
"C:\Users\Admin\AppData\Local\Temp\09490699.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net start "Hard-to-Destroy Reptile"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\net.exe
    net start "Hard-to-Destroy Reptile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Hard-to-Destroy Reptile"
      4⤵
      PID:904

C:\Users\Admin\AppData\Local\Temp\09490699.exe
C:\Users\Admin\AppData\Local\Temp\09490699.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 13.exe x -y 50
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Disgusting\13.exe
    13.exe x -y 50
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if exist %windir%\Sysnative\drivers\dcrypt.sys (echo 1) else (echo 0)
  2⤵
  PID:752
- C:\Disgusting\dcinst.exe
  dcinst.exe -setup
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1804
- C:\Windows\SysWOW64\shutdown.exe
  shutdown -r -t 0 -f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Disgusting\13.exe

Filesize
284KB

MD5
a42b35f975d88c1370a7aff084ee57a7

SHA1
bee1408fe0b15f6f719f003e46aee5ec424cf608

SHA256
56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

SHA512
b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

Download Submit
C:\Disgusting\13.exe

Filesize
284KB

MD5
a42b35f975d88c1370a7aff084ee57a7

SHA1
bee1408fe0b15f6f719f003e46aee5ec424cf608

SHA256
56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

SHA512
b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

Download Submit
C:\Disgusting\50

Filesize
127KB

MD5
17001c4b91ccfae0d737f2d368566541

SHA1
29609a5b3e73d86000093282b0ec8ec33f027393

SHA256
11e5b46bb38e0dbed53de6bb67f777a5cb57f81f2011a14a55bd2bb25644f569

SHA512
ce16012abd13bca5610006676a41b7f090fd1dda9e538d01b05fe82feb0dd39d36f4309540b511f9ee52654af5e1c5f358bc735c01e4e6320d95639c5c910671

Download Submit
C:\Disgusting\7z.dll

Filesize
1.1MB

MD5
8915c81b1da3f8e9ac6d9cb7f9b7c105

SHA1
4f9f117eab2e75df3c2cd85bbad307d58990657d

SHA256
92f6e97c9177361ee5425826585e6e4470052a36bb4e0d0e8667e83b41652c2f

SHA512
8f4440fc3028a16f76deee8b14bab3e973bc4e66e9cefa0fb862d3c010465ae0d1d1a592b6f97d18f4fa123379d85d6c15081f67a8383eb19d96fb84771fdbb7

Download Submit
C:\Disgusting\dcapi.dll

Filesize
211KB

MD5
6299e7f901517d7167d3aff5fa66a30b

SHA1
69e4d05a36e2e925050a72d532cce0da3091bf8c

SHA256
8688ea09e4b59a50c983ff9a27ab4476ab0498c504b227c58a5afc3713bfdab2

SHA512
cf1f4aea47b6b192f44849503c681787c24711fe1a8293b7d68150654a37cb9adfe0d469cb5721251c080a9ac8c784541aad53cea5aad25efd8dae7dcf97f862

Download Submit
C:\Disgusting\dcinst.exe

Filesize
9KB

MD5
ff5f598d99fd00f998ffa8dac3bb620a

SHA1
4b2210a64025ec0e3ec74990a4433d28a22abb37

SHA256
f2a45d08fe2b4cff2d68c1ad2c204ec221428230f98d250b612eb0f27d92a636

SHA512
8d7dc9ecb18cdfdbd5da947e25b781c96e1d9a65bcf423958d73affafeba09340b5a7f193269ba6abf0d92875702aa0dfea34636e9fb4c7349c52954bd5522c8

Download Submit
C:\Disgusting\dcrypt.sys

Filesize
205KB

MD5
edb72f4a46c39452d1a5414f7d26454a

SHA1
08f94684e83a27f2414f439975b7f8a6d61fc056

SHA256
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6

SHA512
d62a19436aba8b2d181c065076b4ab54d7d8159d71237f83f1aff8c3d132a80290af39a8142708acb468d78958c64f338ba6ad0cab9fbac001a6a0bddc0e4faa

Download Submit
\Disgusting\13.exe

Filesize
284KB

MD5
a42b35f975d88c1370a7aff084ee57a7

SHA1
bee1408fe0b15f6f719f003e46aee5ec424cf608

SHA256
56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

SHA512
b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

Download Submit
\Disgusting\7z.dll

Filesize
1.1MB

MD5
8915c81b1da3f8e9ac6d9cb7f9b7c105

SHA1
4f9f117eab2e75df3c2cd85bbad307d58990657d

SHA256
92f6e97c9177361ee5425826585e6e4470052a36bb4e0d0e8667e83b41652c2f

SHA512
8f4440fc3028a16f76deee8b14bab3e973bc4e66e9cefa0fb862d3c010465ae0d1d1a592b6f97d18f4fa123379d85d6c15081f67a8383eb19d96fb84771fdbb7

Download Submit
\Disgusting\dcapi.dll

Filesize
211KB

MD5
6299e7f901517d7167d3aff5fa66a30b

SHA1
69e4d05a36e2e925050a72d532cce0da3091bf8c

SHA256
8688ea09e4b59a50c983ff9a27ab4476ab0498c504b227c58a5afc3713bfdab2

SHA512
cf1f4aea47b6b192f44849503c681787c24711fe1a8293b7d68150654a37cb9adfe0d469cb5721251c080a9ac8c784541aad53cea5aad25efd8dae7dcf97f862

Download Submit
\Disgusting\dcinst.exe

Filesize
9KB

MD5
ff5f598d99fd00f998ffa8dac3bb620a

SHA1
4b2210a64025ec0e3ec74990a4433d28a22abb37

SHA256
f2a45d08fe2b4cff2d68c1ad2c204ec221428230f98d250b612eb0f27d92a636

SHA512
8d7dc9ecb18cdfdbd5da947e25b781c96e1d9a65bcf423958d73affafeba09340b5a7f193269ba6abf0d92875702aa0dfea34636e9fb4c7349c52954bd5522c8

Download Submit
memory/1052-57-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/1388-81-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1908-80-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1980-79-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download