Overview

overview

10

Static

static

3

dac.exe

windows7-x64

10

dac.exe

windows10-1703-x64

10

dac.exe

windows10-2004-x64

10

dac.exe

windows11-21h2-x64

7

Resubmissions

11-12-2023 15:39

231211-s3p6bacbh4 7

10-12-2023 15:26

231210-st8w3afacp 7

09-12-2023 14:29

231209-rt1p1sghcj 7

09-12-2023 11:42

231209-nvdebshff5 10

08-12-2023 15:15

231208-smy4aaccf9 10

05-12-2023 15:49

231205-s9fkfsce49 10

05-12-2023 04:28

231205-e34f2shb9w 10

Analysis

  • max time kernel
    25s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dac.exe

  • Size

    22.6MB

  • MD5

    111983bd0209f1541e9d1ee618be1c45

  • SHA1

    cf15e95ad616bbf3b806b0f6b7290cc14c6b557e

  • SHA256

    af582ce1d3bbc2d9201c81a058203e96f81087433b80ddd85f8eb1a66faa8d31

  • SHA512

    6c1e810557acffc3c10213aa663b7527f4808b418e80c3c5610a5489994138236457aad1ffd28861b912add0aaa66053a4cdac2b3a47167d075f8e9b2d592511

  • SSDEEP

    393216:oHqEnUyriULZiXg6LPmmG3z7z/wQ74cZd060stbgB7OrowyVm9fC8:fXyriULZikmG3zP/p748d0LsqB7uyI48

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dac.exe
    "C:\Users\Admin\AppData\Local\Temp\dac.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\12975.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:2988
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:1152
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:2488
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\PI6bT\odetu@f\v+C:\Users\Public\Pictures\PI6bT\odetu@f\b C:\Users\Public\Pictures\PI6bT\odetu@f\AliProtect.dll
      2⤵
        PID:1996
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\System32\netsh.exe
        "C:\Windows\System32\netsh.exe" interface ip set address 本地连接 static 1.0.0.2 255.255.255.0 1.0.0.1 1
        2⤵
          PID:2732
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" interface ip set address \"无线网络连接\" static 1.0.0.3 255.255.255.0 1.0.0.1 1
          2⤵
            PID:2696
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Users\Public\Pictures\PI6bT\odetu@f\AliWorkbench.exe
            "C:\Users\Public\Pictures\PI6bT\odetu@f\AliWorkbench.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\12975.bat
          Filesize

          392B

          MD5

          30d6eb22d6aeec10347239b17b023bf4

          SHA1

          e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

          SHA256

          659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

          SHA512

          500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

          Download Submit

        • C:\Users\Public\Pictures\PI6bT\odetu@f\AliProtect.dll
          Filesize

          1.7MB

          MD5

          6139afd7d2000b6356ce6e20f94c694d

          SHA1

          2e20ba20968a0e1a98b4a8f5c04aca3fa11bafc0

          SHA256

          90bf87970934f4c23f9873bbc018368d446276ab39472ea256faca686a7a7413

          SHA512

          0e17663c6fcaeb22d7428347c3c89fc2b852bacc1e3624412a20aa8009ada99730d1fa160cae64a11c37cf373312dbfde9f1ac3e4dcd28a13f009befc127b23e

          Download Submit

        • C:\Users\Public\Pictures\PI6bT\odetu@f\AliWorkbench.exe
          Filesize

          411KB

          MD5

          405bd58e0a733acd4f986cf8d1a8cd85

          SHA1

          3d766ea076a36ced02e991d7c72f53be583720e5

          SHA256

          af04dad1590fd28ad980af3eabee5b3e8a57cede68d42de1e376dfcc4f991994

          SHA512

          bd9e901576a4928633735f7173830991547d72179e72aa0da6a8a6fe70d5ef4c823c4d32cbcc7f4c571dc8febaee3037b58f896b416d1a675000148e8644b97c

          Download Submit

        • C:\Users\Public\Pictures\PI6bT\odetu@f\AliWorkbench.exe
          Filesize

          411KB

          MD5

          405bd58e0a733acd4f986cf8d1a8cd85

          SHA1

          3d766ea076a36ced02e991d7c72f53be583720e5

          SHA256

          af04dad1590fd28ad980af3eabee5b3e8a57cede68d42de1e376dfcc4f991994

          SHA512

          bd9e901576a4928633735f7173830991547d72179e72aa0da6a8a6fe70d5ef4c823c4d32cbcc7f4c571dc8febaee3037b58f896b416d1a675000148e8644b97c

          Download Submit

        • C:\Users\Public\Pictures\PI6bT\odetu@f\PX.txt
          Filesize

          156KB

          MD5

          8182b68f937b036f77406127c5b50a4f

          SHA1

          bd3ae6f2482ac997ecc81968d67658a920e0b92b

          SHA256

          4fab64d1804c54055c7e603db7311ba44cebd24933d187b417b0eb76e4d4b290

          SHA512

          c777ee33b5dbc04cfe1f7153cccffac6ff493eaec025582b6afc6c1bfe0d1e8a6b1852d4101dce3600fc27fe03ade4b7ffea914e16bfeb901f8aae346c7aaeb1

          Download Submit

        • C:\Users\Public\Pictures\PI6bT\odetu@f\b
          Filesize

          880KB

          MD5

          40f0f5f381f5de3289f61e73069fa965

          SHA1

          4cdd2c8dfdd2dafa20ec9b57ddd91f1abe4bc2dc

          SHA256

          5cbd6e6ff971a9ce2a61193a7a01211f74cc14cce888901dc94fe9aaaf010704

          SHA512

          9b62d3f2e4603a6b990265848b61529125a32eda3ff0cb241a406e4b8acb23436ad385b30a37bf7cf96ed26bbd574cb8a4cbd12f3dfb9c625cd55aea9c57de8b

          Download Submit

        • C:\Users\Public\Pictures\PI6bT\odetu@f\v
          Filesize

          880KB

          MD5

          003878433cbd4a8b59982b69815b85b8

          SHA1

          4ab8bfdf56557d57f0688dee13d157c67ed90c51

          SHA256

          df493f4c531e3b4569be51c7d00ec8ad05390c12cce372ac18e1c83a4cc14bbd

          SHA512

          6ed33f98c92562ee20728063b421d2b236ba628c4ed4889f461e933f1d25508b818eafe97a042d64088ae0e5163f9e2969604eacf2cab989e3b664c204c39715

          Download Submit

        • \Users\Public\Pictures\PI6bT\odetu@f\AliProtect.dll
          Filesize

          1.7MB

          MD5

          6139afd7d2000b6356ce6e20f94c694d

          SHA1

          2e20ba20968a0e1a98b4a8f5c04aca3fa11bafc0

          SHA256

          90bf87970934f4c23f9873bbc018368d446276ab39472ea256faca686a7a7413

          SHA512

          0e17663c6fcaeb22d7428347c3c89fc2b852bacc1e3624412a20aa8009ada99730d1fa160cae64a11c37cf373312dbfde9f1ac3e4dcd28a13f009befc127b23e

          Download Submit

        • memory/1056-45-0x0000000000440000-0x000000000049E000-memory.dmp

          Filesize

          376KB

          Download

        • memory/1056-44-0x0000000000440000-0x000000000049E000-memory.dmp

          Filesize

          376KB

          Download

        • memory/2180-0-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-5-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-4-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-1-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-2-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-3-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-29-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2180-47-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2224-38-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2304-24-0x0000000001F40000-0x0000000001F41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2772-25-0x0000000002040000-0x0000000002041000-memory.dmp

          Filesize

          4KB

          Download