Overview

overview

8

Static

static

3

09490699.exe

windows7-x64

09490699.exe

windows10-2004-x64

Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2023, 06:55

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    09490699.exe

  • Size

    4.2MB

  • MD5

    3aab057312f4f899b322f3f282eba2f3

  • SHA1

    53907d8c91acd85e53c058562a7f61e998bd9002

  • SHA256

    d69ab6b8780792026dc20e123afbb0e8eab342cbe19b705cb2e1e03d19551986

  • SHA512

    fc0a9d718e0d6a7e2f03add1ec9511d38c9d13a7ed10afa974f63d7db8ff09e1a6b79f0a6e025d15a1993451d93177932fa5b6868a9f886324d71af040b128d5

  • SSDEEP

    98304:l7uFXK3RGjr6hbrFjuj6gOzZPuGjr6hbrFjuj6gOzZP:lIK3Q36tpjuj6gYP736tpjuj6gYP

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09490699.exe
    "C:\Users\Admin\AppData\Local\Temp\09490699.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net start "Hard-to-Destroy Reptile"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\net.exe
        net start "Hard-to-Destroy Reptile"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start "Hard-to-Destroy Reptile"
          4⤵
            PID:364
    • C:\Users\Admin\AppData\Local\Temp\09490699.exe
      C:\Users\Admin\AppData\Local\Temp\09490699.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 13.exe x -y 50
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Disgusting\13.exe
          13.exe x -y 50
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c if exist %windir%\Sysnative\drivers\dcrypt.sys (echo 1) else (echo 0)
        2⤵
          PID:1696
        • C:\Disgusting\dcinst.exe
          dcinst.exe -setup
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3440
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -t 0 -f
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4076
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa39f4855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4672

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Disgusting\13.exe
              Filesize

              284KB

              MD5

              a42b35f975d88c1370a7aff084ee57a7

              SHA1

              bee1408fe0b15f6f719f003e46aee5ec424cf608

              SHA256

              56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

              SHA512

              b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

              Download Submit

            • C:\Disgusting\50
              Filesize

              127KB

              MD5

              17001c4b91ccfae0d737f2d368566541

              SHA1

              29609a5b3e73d86000093282b0ec8ec33f027393

              SHA256

              11e5b46bb38e0dbed53de6bb67f777a5cb57f81f2011a14a55bd2bb25644f569

              SHA512

              ce16012abd13bca5610006676a41b7f090fd1dda9e538d01b05fe82feb0dd39d36f4309540b511f9ee52654af5e1c5f358bc735c01e4e6320d95639c5c910671

              Download Submit

            • C:\Disgusting\7z.dll
              Filesize

              1.1MB

              MD5

              8915c81b1da3f8e9ac6d9cb7f9b7c105

              SHA1

              4f9f117eab2e75df3c2cd85bbad307d58990657d

              SHA256

              92f6e97c9177361ee5425826585e6e4470052a36bb4e0d0e8667e83b41652c2f

              SHA512

              8f4440fc3028a16f76deee8b14bab3e973bc4e66e9cefa0fb862d3c010465ae0d1d1a592b6f97d18f4fa123379d85d6c15081f67a8383eb19d96fb84771fdbb7

              Download Submit

            • C:\Disgusting\7z.dll
              Filesize

              1.1MB

              MD5

              8915c81b1da3f8e9ac6d9cb7f9b7c105

              SHA1

              4f9f117eab2e75df3c2cd85bbad307d58990657d

              SHA256

              92f6e97c9177361ee5425826585e6e4470052a36bb4e0d0e8667e83b41652c2f

              SHA512

              8f4440fc3028a16f76deee8b14bab3e973bc4e66e9cefa0fb862d3c010465ae0d1d1a592b6f97d18f4fa123379d85d6c15081f67a8383eb19d96fb84771fdbb7

              Download Submit

            • C:\Disgusting\dcapi.dll
              Filesize

              211KB

              MD5

              6299e7f901517d7167d3aff5fa66a30b

              SHA1

              69e4d05a36e2e925050a72d532cce0da3091bf8c

              SHA256

              8688ea09e4b59a50c983ff9a27ab4476ab0498c504b227c58a5afc3713bfdab2

              SHA512

              cf1f4aea47b6b192f44849503c681787c24711fe1a8293b7d68150654a37cb9adfe0d469cb5721251c080a9ac8c784541aad53cea5aad25efd8dae7dcf97f862

              Download Submit

            • C:\Disgusting\dcapi.dll
              Filesize

              211KB

              MD5

              6299e7f901517d7167d3aff5fa66a30b

              SHA1

              69e4d05a36e2e925050a72d532cce0da3091bf8c

              SHA256

              8688ea09e4b59a50c983ff9a27ab4476ab0498c504b227c58a5afc3713bfdab2

              SHA512

              cf1f4aea47b6b192f44849503c681787c24711fe1a8293b7d68150654a37cb9adfe0d469cb5721251c080a9ac8c784541aad53cea5aad25efd8dae7dcf97f862

              Download Submit

            • C:\Disgusting\dcinst.exe
              Filesize

              9KB

              MD5

              ff5f598d99fd00f998ffa8dac3bb620a

              SHA1

              4b2210a64025ec0e3ec74990a4433d28a22abb37

              SHA256

              f2a45d08fe2b4cff2d68c1ad2c204ec221428230f98d250b612eb0f27d92a636

              SHA512

              8d7dc9ecb18cdfdbd5da947e25b781c96e1d9a65bcf423958d73affafeba09340b5a7f193269ba6abf0d92875702aa0dfea34636e9fb4c7349c52954bd5522c8

              Download Submit

            • C:\Disgusting\dcinst.exe
              Filesize

              9KB

              MD5

              ff5f598d99fd00f998ffa8dac3bb620a

              SHA1

              4b2210a64025ec0e3ec74990a4433d28a22abb37

              SHA256

              f2a45d08fe2b4cff2d68c1ad2c204ec221428230f98d250b612eb0f27d92a636

              SHA512

              8d7dc9ecb18cdfdbd5da947e25b781c96e1d9a65bcf423958d73affafeba09340b5a7f193269ba6abf0d92875702aa0dfea34636e9fb4c7349c52954bd5522c8

              Download Submit

            • C:\Disgusting\dcrypt.sys
              Filesize

              205KB

              MD5

              edb72f4a46c39452d1a5414f7d26454a

              SHA1

              08f94684e83a27f2414f439975b7f8a6d61fc056

              SHA256

              0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6

              SHA512

              d62a19436aba8b2d181c065076b4ab54d7d8159d71237f83f1aff8c3d132a80290af39a8142708acb468d78958c64f338ba6ad0cab9fbac001a6a0bddc0e4faa

              Download Submit

            • memory/544-156-0x0000000000400000-0x000000000083D000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/3376-157-0x0000000000400000-0x000000000083D000-memory.dmp

              Filesize

              4.2MB

              Download