Overview

overview

10

Static

static

7

condef/Def...gs.vbs

windows7-x64

3

condef/Def...gs.vbs

windows10-2004-x64

1

condef/ReadMe.txt

windows7-x64

1

condef/ReadMe.txt

windows10-2004-x64

1

condef/dControl.exe

windows7-x64

10

condef/dControl.exe

windows10-2004-x64

7

out.exe

windows7-x64

out.exe

windows10-2004-x64

condef/dControl.ini

windows7-x64

1

condef/dControl.ini

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2023 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    condef/dControl.exe

  • Size

    447KB

  • MD5

    58008524a6473bdf86c1040a9a9e39c3

  • SHA1

    cb704d2e8df80fd3500a5b817966dc262d80ddb8

  • SHA256

    1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

  • SHA512

    8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

  • SSDEEP

    6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
      C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
      • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
        "C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe" /TI
        3⤵
        • Modifies security service
        • Windows security modification
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\Explorer.exe
          "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
          4⤵
            PID:2176
          • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
            "C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe" /EXP |1300|
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:848
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231101020337.log C:\Windows\Logs\CBS\CbsPersist_20231101020337.cab
      1⤵
      • Drops file in Windows directory
      PID:2440
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /RefreshSystemParam
      1⤵
        PID:2160
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /RefreshSystemParam
        1⤵
          PID:2000
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /RefreshSystemParam
          1⤵
            PID:2812
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Program Files\Windows Defender\MSASCui.exe
              "C:\Program Files\Windows Defender\MSASCui.exe"
              2⤵
                PID:1580

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\2s1v2m4y.tmp
              Filesize

              37KB

              MD5

              f156a4a8ffd8c440348d52ef8498231c

              SHA1

              4d2f5e731a0cc9155220b560eb6560f24b623032

              SHA256

              7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

              SHA512

              48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

              Download Submit

            • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
              Filesize

              8B

              MD5

              8e1b08222f20e45a3e8db04c569f9cb7

              SHA1

              a6ac68fbadf96faba3af7000a7514790157f930f

              SHA256

              5bb1f21f806938a043563024b13b33d74a2b95b767c5f81bde8456e9d0413a89

              SHA512

              414d30dec0fce6b4e3ab52c50f064262e0df00cf9dbbeacca271a0991555371a37cfffdd0486c07a9096838942a69cdbefea4a4399ef2848139678daff589c31

              Download Submit

            • C:\Windows\System32\GroupPolicy\gpt.ini
              Filesize

              233B

              MD5

              cd4326a6fd01cd3ca77cfd8d0f53821b

              SHA1

              a1030414d1f8e5d5a6e89d5a309921b8920856f9

              SHA256

              1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

              SHA512

              29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

              Download Submit

            • C:\Windows\Temp\2c8o5s2d.tmp
              Filesize

              37KB

              MD5

              1f8c95b97229e09286b8a531f690c661

              SHA1

              b15b21c4912267b41861fb351f192849cca68a12

              SHA256

              557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

              SHA512

              0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

              Download Submit

            • C:\Windows\Temp\2c8o5s2d.tmp
              Filesize

              37KB

              MD5

              3bc9acd9c4b8384fb7ce6c08db87df6d

              SHA1

              936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

              SHA256

              a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

              SHA512

              f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

              Download Submit

            • C:\Windows\Temp\aut9FB9.tmp
              Filesize

              14KB

              MD5

              9d5a0ef18cc4bb492930582064c5330f

              SHA1

              2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

              SHA256

              8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

              SHA512

              1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

              Download Submit

            • C:\Windows\Temp\aut9FC9.tmp
              Filesize

              12KB

              MD5

              efe44d9f6e4426a05e39f99ad407d3e7

              SHA1

              637c531222ee6a56780a7fdcd2b5078467b6e036

              SHA256

              5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

              SHA512

              8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

              Download Submit

            • C:\Windows\Temp\aut9FDA.tmp
              Filesize

              7KB

              MD5

              ecffd3e81c5f2e3c62bcdc122442b5f2

              SHA1

              d41567acbbb0107361c6ee1715fe41b416663f40

              SHA256

              9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

              SHA512

              7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

              Download Submit

            • memory/848-135-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/848-113-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/1580-134-0x0000000000440000-0x0000000000441000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2124-21-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2124-0-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-66-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-138-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-100-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-78-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-65-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-64-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-145-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-136-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-137-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-43-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-139-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-140-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-141-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-142-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-143-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-144-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2852-42-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download