Overview

overview

8

Static

static

3

09490699.exe

windows7-x64

09490699.exe

windows10-2004-x64

Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2023, 06:55 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    09490699.exe

  • Size

    4.2MB

  • MD5

    3aab057312f4f899b322f3f282eba2f3

  • SHA1

    53907d8c91acd85e53c058562a7f61e998bd9002

  • SHA256

    d69ab6b8780792026dc20e123afbb0e8eab342cbe19b705cb2e1e03d19551986

  • SHA512

    fc0a9d718e0d6a7e2f03add1ec9511d38c9d13a7ed10afa974f63d7db8ff09e1a6b79f0a6e025d15a1993451d93177932fa5b6868a9f886324d71af040b128d5

  • SSDEEP

    98304:l7uFXK3RGjr6hbrFjuj6gOzZPuGjr6hbrFjuj6gOzZP:lIK3Q36tpjuj6gYP736tpjuj6gYP

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09490699.exe
    "C:\Users\Admin\AppData\Local\Temp\09490699.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net start "Hard-to-Destroy Reptile"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\net.exe
        net start "Hard-to-Destroy Reptile"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start "Hard-to-Destroy Reptile"
          4⤵
            PID:364
    • C:\Users\Admin\AppData\Local\Temp\09490699.exe
      C:\Users\Admin\AppData\Local\Temp\09490699.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 13.exe x -y 50
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Disgusting\13.exe
          13.exe x -y 50
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c if exist %windir%\Sysnative\drivers\dcrypt.sys (echo 1) else (echo 0)
        2⤵
          PID:1696
        • C:\Disgusting\dcinst.exe
          dcinst.exe -setup
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3440
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -t 0 -f
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4076
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa39f4855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4672

      Network

      • flag-us
        DNS
        176.122.125.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        176.122.125.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.97.242.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.97.242.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        74.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        74.32.126.40.in-addr.arpa
        IN PTR
        Response
      • 173.223.113.164:443
        46 B
         1
      • 131.253.33.203:80
        46 B
         1
      • 173.223.113.131:80
        46 B
         1
      • 104.46.162.224:443
        138 B
         3
      • 104.46.162.224:443
        144 B
         92 B
         3
        2
      • 8.238.22.254:80
        46 B
         1
      • 8.8.8.8:53
        176.122.125.40.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        176.122.125.40.in-addr.arpa

      • 8.8.8.8:53
        97.97.242.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.97.242.52.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        74.32.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        74.32.126.40.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Disgusting\13.exe
        Filesize

        284KB

        MD5

        a42b35f975d88c1370a7aff084ee57a7

        SHA1

        bee1408fe0b15f6f719f003e46aee5ec424cf608

        SHA256

        56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

        SHA512

        b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

        Download Submit

      • C:\Disgusting\50
        Filesize

        127KB

        MD5

        17001c4b91ccfae0d737f2d368566541

        SHA1

        29609a5b3e73d86000093282b0ec8ec33f027393

        SHA256

        11e5b46bb38e0dbed53de6bb67f777a5cb57f81f2011a14a55bd2bb25644f569

        SHA512

        ce16012abd13bca5610006676a41b7f090fd1dda9e538d01b05fe82feb0dd39d36f4309540b511f9ee52654af5e1c5f358bc735c01e4e6320d95639c5c910671

        Download Submit

      • C:\Disgusting\7z.dll
        Filesize

        1.1MB

        MD5

        8915c81b1da3f8e9ac6d9cb7f9b7c105

        SHA1

        4f9f117eab2e75df3c2cd85bbad307d58990657d

        SHA256

        92f6e97c9177361ee5425826585e6e4470052a36bb4e0d0e8667e83b41652c2f

        SHA512

        8f4440fc3028a16f76deee8b14bab3e973bc4e66e9cefa0fb862d3c010465ae0d1d1a592b6f97d18f4fa123379d85d6c15081f67a8383eb19d96fb84771fdbb7

        Download Submit

      • C:\Disgusting\7z.dll
        Filesize

        1.1MB

        MD5

        8915c81b1da3f8e9ac6d9cb7f9b7c105

        SHA1

        4f9f117eab2e75df3c2cd85bbad307d58990657d

        SHA256

        92f6e97c9177361ee5425826585e6e4470052a36bb4e0d0e8667e83b41652c2f

        SHA512

        8f4440fc3028a16f76deee8b14bab3e973bc4e66e9cefa0fb862d3c010465ae0d1d1a592b6f97d18f4fa123379d85d6c15081f67a8383eb19d96fb84771fdbb7

        Download Submit

      • C:\Disgusting\dcapi.dll
        Filesize

        211KB

        MD5

        6299e7f901517d7167d3aff5fa66a30b

        SHA1

        69e4d05a36e2e925050a72d532cce0da3091bf8c

        SHA256

        8688ea09e4b59a50c983ff9a27ab4476ab0498c504b227c58a5afc3713bfdab2

        SHA512

        cf1f4aea47b6b192f44849503c681787c24711fe1a8293b7d68150654a37cb9adfe0d469cb5721251c080a9ac8c784541aad53cea5aad25efd8dae7dcf97f862

        Download Submit

      • C:\Disgusting\dcapi.dll
        Filesize

        211KB

        MD5

        6299e7f901517d7167d3aff5fa66a30b

        SHA1

        69e4d05a36e2e925050a72d532cce0da3091bf8c

        SHA256

        8688ea09e4b59a50c983ff9a27ab4476ab0498c504b227c58a5afc3713bfdab2

        SHA512

        cf1f4aea47b6b192f44849503c681787c24711fe1a8293b7d68150654a37cb9adfe0d469cb5721251c080a9ac8c784541aad53cea5aad25efd8dae7dcf97f862

        Download Submit

      • C:\Disgusting\dcinst.exe
        Filesize

        9KB

        MD5

        ff5f598d99fd00f998ffa8dac3bb620a

        SHA1

        4b2210a64025ec0e3ec74990a4433d28a22abb37

        SHA256

        f2a45d08fe2b4cff2d68c1ad2c204ec221428230f98d250b612eb0f27d92a636

        SHA512

        8d7dc9ecb18cdfdbd5da947e25b781c96e1d9a65bcf423958d73affafeba09340b5a7f193269ba6abf0d92875702aa0dfea34636e9fb4c7349c52954bd5522c8

        Download Submit

      • C:\Disgusting\dcinst.exe
        Filesize

        9KB

        MD5

        ff5f598d99fd00f998ffa8dac3bb620a

        SHA1

        4b2210a64025ec0e3ec74990a4433d28a22abb37

        SHA256

        f2a45d08fe2b4cff2d68c1ad2c204ec221428230f98d250b612eb0f27d92a636

        SHA512

        8d7dc9ecb18cdfdbd5da947e25b781c96e1d9a65bcf423958d73affafeba09340b5a7f193269ba6abf0d92875702aa0dfea34636e9fb4c7349c52954bd5522c8

        Download Submit

      • C:\Disgusting\dcrypt.sys
        Filesize

        205KB

        MD5

        edb72f4a46c39452d1a5414f7d26454a

        SHA1

        08f94684e83a27f2414f439975b7f8a6d61fc056

        SHA256

        0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6

        SHA512

        d62a19436aba8b2d181c065076b4ab54d7d8159d71237f83f1aff8c3d132a80290af39a8142708acb468d78958c64f338ba6ad0cab9fbac001a6a0bddc0e4faa

        Download Submit

      • memory/544-156-0x0000000000400000-0x000000000083D000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/3376-157-0x0000000000400000-0x000000000083D000-memory.dmp

        Filesize

        4.2MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.