Overview

overview

10

Static

static

3

dac.exe

windows7-x64

10

dac.exe

windows10-1703-x64

10

dac.exe

windows10-2004-x64

10

dac.exe

windows11-21h2-x64

7

Resubmissions

11-12-2023 15:39

231211-s3p6bacbh4 7

10-12-2023 15:26

231210-st8w3afacp 7

09-12-2023 14:29

231209-rt1p1sghcj 7

09-12-2023 11:42

231209-nvdebshff5 10

08-12-2023 15:15

231208-smy4aaccf9 10

05-12-2023 15:49

231205-s9fkfsce49 10

05-12-2023 04:28

231205-e34f2shb9w 10

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-12-2023 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dac.exe

  • Size

    22.6MB

  • MD5

    111983bd0209f1541e9d1ee618be1c45

  • SHA1

    cf15e95ad616bbf3b806b0f6b7290cc14c6b557e

  • SHA256

    af582ce1d3bbc2d9201c81a058203e96f81087433b80ddd85f8eb1a66faa8d31

  • SHA512

    6c1e810557acffc3c10213aa663b7527f4808b418e80c3c5610a5489994138236457aad1ffd28861b912add0aaa66053a4cdac2b3a47167d075f8e9b2d592511

  • SSDEEP

    393216:oHqEnUyriULZiXg6LPmmG3z7z/wQ74cZd060stbgB7OrowyVm9fC8:fXyriULZikmG3zP/p748d0LsqB7uyI48

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dac.exe
    "C:\Users\Admin\AppData\Local\Temp\dac.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\qnZ30.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:4156
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:4532
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:780
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\ZWxMH\6fs0H@f\v+C:\Users\Public\Pictures\ZWxMH\6fs0H@f\b C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliProtect.dll
      2⤵
        PID:2164
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\System32\netsh.exe
        "C:\Windows\System32\netsh.exe" interface ip set address 以太网 static 1.0.0.2 255.255.255.0 1.0.0.1 1
        2⤵
          PID:648
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" interface ip set address \"WLAN\" static 1.0.0.3 255.255.255.0 1.0.0.1 1
          2⤵
            PID:4600
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4260
          • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliWorkbench.exe
            "C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliWorkbench.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" interface ip set address \"ÒÔÌ«Íø\" dhcp
              3⤵
                PID:4988
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" interface ip set address \"WLAN\" dhcp
                3⤵
                  PID:440

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\qnZ30.bat
              Filesize

              392B

              MD5

              30d6eb22d6aeec10347239b17b023bf4

              SHA1

              e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

              SHA256

              659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

              SHA512

              500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliIMStartup.dll
              Filesize

              522KB

              MD5

              9509e2ec8222bbff5871993439a22aab

              SHA1

              e70859c34c89143fbb947b5f75ea89fa419089de

              SHA256

              131cf0b47fa91a731f2c26e526f640b51a6a2753059ac6597b562df339fb01c3

              SHA512

              ffe50081f45eab17b89227f3adfac6ff223e8c33a16eb26ce3e4c89f5d8d7220fa3f34191fc039a23dad9ecb21e7640ef636dad405f76c54ab7fc55d92741b85

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliProtect.dll
              Filesize

              1.7MB

              MD5

              6139afd7d2000b6356ce6e20f94c694d

              SHA1

              2e20ba20968a0e1a98b4a8f5c04aca3fa11bafc0

              SHA256

              90bf87970934f4c23f9873bbc018368d446276ab39472ea256faca686a7a7413

              SHA512

              0e17663c6fcaeb22d7428347c3c89fc2b852bacc1e3624412a20aa8009ada99730d1fa160cae64a11c37cf373312dbfde9f1ac3e4dcd28a13f009befc127b23e

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliWorkbench.exe
              Filesize

              411KB

              MD5

              405bd58e0a733acd4f986cf8d1a8cd85

              SHA1

              3d766ea076a36ced02e991d7c72f53be583720e5

              SHA256

              af04dad1590fd28ad980af3eabee5b3e8a57cede68d42de1e376dfcc4f991994

              SHA512

              bd9e901576a4928633735f7173830991547d72179e72aa0da6a8a6fe70d5ef4c823c4d32cbcc7f4c571dc8febaee3037b58f896b416d1a675000148e8644b97c

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\AliWorkbench.exe
              Filesize

              411KB

              MD5

              405bd58e0a733acd4f986cf8d1a8cd85

              SHA1

              3d766ea076a36ced02e991d7c72f53be583720e5

              SHA256

              af04dad1590fd28ad980af3eabee5b3e8a57cede68d42de1e376dfcc4f991994

              SHA512

              bd9e901576a4928633735f7173830991547d72179e72aa0da6a8a6fe70d5ef4c823c4d32cbcc7f4c571dc8febaee3037b58f896b416d1a675000148e8644b97c

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\PX.txt
              Filesize

              156KB

              MD5

              8182b68f937b036f77406127c5b50a4f

              SHA1

              bd3ae6f2482ac997ecc81968d67658a920e0b92b

              SHA256

              4fab64d1804c54055c7e603db7311ba44cebd24933d187b417b0eb76e4d4b290

              SHA512

              c777ee33b5dbc04cfe1f7153cccffac6ff493eaec025582b6afc6c1bfe0d1e8a6b1852d4101dce3600fc27fe03ade4b7ffea914e16bfeb901f8aae346c7aaeb1

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\b
              Filesize

              880KB

              MD5

              40f0f5f381f5de3289f61e73069fa965

              SHA1

              4cdd2c8dfdd2dafa20ec9b57ddd91f1abe4bc2dc

              SHA256

              5cbd6e6ff971a9ce2a61193a7a01211f74cc14cce888901dc94fe9aaaf010704

              SHA512

              9b62d3f2e4603a6b990265848b61529125a32eda3ff0cb241a406e4b8acb23436ad385b30a37bf7cf96ed26bbd574cb8a4cbd12f3dfb9c625cd55aea9c57de8b

              Download Submit

            • C:\Users\Public\Pictures\ZWxMH\6fs0H@f\v
              Filesize

              880KB

              MD5

              003878433cbd4a8b59982b69815b85b8

              SHA1

              4ab8bfdf56557d57f0688dee13d157c67ed90c51

              SHA256

              df493f4c531e3b4569be51c7d00ec8ad05390c12cce372ac18e1c83a4cc14bbd

              SHA512

              6ed33f98c92562ee20728063b421d2b236ba628c4ed4889f461e933f1d25508b818eafe97a042d64088ae0e5163f9e2969604eacf2cab989e3b664c204c39715

              Download Submit

            • \Users\Public\Pictures\ZWxMH\6fs0H@f\AliProtect.dll
              Filesize

              1.7MB

              MD5

              6139afd7d2000b6356ce6e20f94c694d

              SHA1

              2e20ba20968a0e1a98b4a8f5c04aca3fa11bafc0

              SHA256

              90bf87970934f4c23f9873bbc018368d446276ab39472ea256faca686a7a7413

              SHA512

              0e17663c6fcaeb22d7428347c3c89fc2b852bacc1e3624412a20aa8009ada99730d1fa160cae64a11c37cf373312dbfde9f1ac3e4dcd28a13f009befc127b23e

              Download Submit

            • memory/1568-3-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1568-5-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1568-0-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1568-38-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1568-4-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1568-34-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1568-2-0x0000000180000000-0x0000000180033000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4300-33-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/4300-36-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/4300-39-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/4300-35-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/4300-46-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/4300-47-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/4300-48-0x0000000002900000-0x000000000295E000-memory.dmp

              Filesize

              376KB

              Download