Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2023 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    456KB

  • MD5

    a8145015691ccb73460a69fa0a8b0304

  • SHA1

    d1f61cd7ccf682868720dacfc91f50ce4e70412b

  • SHA256

    eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2

  • SHA512

    246c43e235fa7c5b4ec9575dd68448db19b28532f5bb51b3baa9b3637a990f25c3677b54fc40d47bd0ced5e97fb10dbe0a04e0df5516f9ca24a5bf47fb2a78f1

  • SSDEEP

    6144:I1/tBaOZZfURQrLmwCn/2L04fiOFnZitWpqdc6WwjLC6a2HEZ+rG7tUW:mtbRURQ+wC+9KtWpqSNg+6RrqtUW

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3672
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
        PID:3696
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • Drops startup file
        • Suspicious use of AdjustPrivilegeToken
        PID:1148

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpfqrqvm.qvv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\Pictures\d21xVVTc7kT5LzeQrIGn9rOc.exe
      Filesize

      7KB

      MD5

      5b423612b36cde7f2745455c5dd82577

      SHA1

      0187c7c80743b44e9e0c193e993294e3b969cc3d

      SHA256

      e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

      SHA512

      c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

      Download Submit
    • memory/1148-10-0x0000000000400000-0x0000000000408000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1148-74-0x0000000004700000-0x0000000004710000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1148-73-0x0000000074410000-0x0000000074BC0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1148-16-0x0000000004700000-0x0000000004710000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1148-12-0x0000000074410000-0x0000000074BC0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1692-31-0x00000000055E0000-0x0000000005646000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1692-35-0x00000000046B0000-0x00000000046C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1692-61-0x0000000074410000-0x0000000074BC0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1692-58-0x00000000071E0000-0x00000000071E8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1692-13-0x0000000000C80000-0x0000000000CB6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1692-57-0x0000000007200000-0x000000000721A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1692-15-0x00000000046B0000-0x00000000046C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1692-56-0x0000000007100000-0x0000000007114000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1692-55-0x00000000070F0000-0x00000000070FE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1692-17-0x0000000074410000-0x0000000074BC0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1692-19-0x0000000004CF0000-0x0000000005318000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1692-18-0x00000000046B0000-0x00000000046C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1692-54-0x00000000070C0000-0x00000000070D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1692-25-0x0000000005410000-0x0000000005432000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1692-30-0x00000000056C0000-0x0000000005726000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1692-53-0x0000000007140000-0x00000000071D6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1692-32-0x0000000005740000-0x0000000005A94000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1692-33-0x0000000005B90000-0x0000000005BAE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1692-34-0x0000000005BC0000-0x0000000005C0C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1692-52-0x0000000006F30000-0x0000000006F3A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1692-36-0x000000007FCA0000-0x000000007FCB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1692-37-0x0000000006190000-0x00000000061C2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1692-38-0x0000000070210000-0x000000007025C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1692-48-0x0000000006150000-0x000000000616E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1692-49-0x0000000006B90000-0x0000000006C33000-memory.dmp
      Filesize

      652KB

      Download
    • memory/1692-50-0x0000000007500000-0x0000000007B7A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1692-51-0x0000000006EC0000-0x0000000006EDA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3672-8-0x0000000005000000-0x000000000501E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3672-0-0x0000000074410000-0x0000000074BC0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3672-4-0x0000000004DB0000-0x0000000004DCA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3672-5-0x0000000004F80000-0x0000000004FF6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3672-14-0x0000000074410000-0x0000000074BC0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3672-6-0x00000000050C0000-0x00000000050D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3672-7-0x0000000004F20000-0x0000000004F2A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3672-9-0x00000000051C0000-0x00000000051E6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3672-3-0x0000000004E30000-0x0000000004EC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3672-2-0x00000000054B0000-0x0000000005A54000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3672-1-0x00000000003B0000-0x0000000000428000-memory.dmp
      Filesize

      480KB

      Download