Overview

overview

8

Static

static

3

1c4db9ab7c...bd.exe

windows7-x64

1c4db9ab7c...bd.exe

windows10-2004-x64

Analysis

  • max time kernel
    61s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 20:56

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    1c4db9ab7ce0c5d5285f78e1007490bd.exe

  • Size

    513KB

  • MD5

    1c4db9ab7ce0c5d5285f78e1007490bd

  • SHA1

    d44356deca09b698652f6285b31e0fb161cd225b

  • SHA256

    12bea5e878327d4cc81db8421aebb1ca2eafad7cd88b695938d3aff425a4fb45

  • SHA512

    1504e384408da7c630a1a66924607f426052db93b58b07d398d47b9b9b9040ad99be50bd6bef519f6d2c41c2d149d2ae5ee5ab095b6507e001a24b75d20ac800

  • SSDEEP

    12288:8oTfYuqyRLu5aCWoevfZ1PUxHmA7PGbdOv4c54e08MGH2:hDYu3GeAxHmA7PGsvF54e08MGW

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c4db9ab7ce0c5d5285f78e1007490bd.exe
    "C:\Users\Admin\AppData\Local\Temp\1c4db9ab7ce0c5d5285f78e1007490bd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83B.tmp\83C.bat C:\Users\Admin\AppData\Local\Temp\1c4db9ab7ce0c5d5285f78e1007490bd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\system32\xcopy.exe
        xcopy "CylanceUninstall.bat" "C:\CyUn\CylanceUninstall.bat*"
        3⤵
          PID:3036
        • C:\Windows\system32\schtasks.exe
          schtasks /create /sc onlogon /f /TN CyUninstall /rl highest /TR C:\CyUn\CylanceUninstall.bat
          3⤵
          • Creates scheduled task(s)
          PID:3052
        • C:\Users\Admin\AppData\Local\Temp\83B.tmp\SetACL32.exe
          SetACL32.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" -ot reg -actn setowner -ownr "n:Administrators"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2072
        • C:\Users\Admin\AppData\Local\Temp\83B.tmp\SetACL32.exe
          SetACL32.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" -ot reg -actn ace -ace "n:Administrators;p:full"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" /v "LastStateRestorePoint" /f
          3⤵
            PID:2560
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" /v "SelfProtectionLevel" /t REG_DWORD /d "1" /f
            3⤵
              PID:2780
            • C:\Windows\system32\sc.exe
              SC Delete CylanceSvc
              3⤵
              • Launches sc.exe
              PID:2608
            • C:\Windows\system32\shutdown.exe
              Shutdown /r /t 60 /c "Cylance Uninstalling - Shutting down in 60 seconds"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2616
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:2772
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:944

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\CyUn\CylanceUninstall.bat
              Filesize

              250B

              MD5

              84b7b7d7c64116d0d57de5592bd6bf02

              SHA1

              66c628d8e294164ea18753bb337566819e0dee82

              SHA256

              d104ecd4715c285dfa5560458ad06d38ef494ee698aadf5a0118d0662cad91e6

              SHA512

              caf73d43dc8c31b360a7d500fd7572335907bf8ca6a43646ba04000b550700ec0a76e19b7366b158b34071146659b98caf087e0ee95e9a5f16238ed02b968f11

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\83B.tmp\83C.bat
              Filesize

              1KB

              MD5

              b1c7a2c3bf4a48c7071281b91456717f

              SHA1

              d2e2db6c057a7b3afa46c30331c3a293dfe596a3

              SHA256

              80ec5266529bb02c3f8c2dfb26f004f6d7ef7d4a1f5836ff6f3dd2a35d6c7b6a

              SHA512

              4e90143162cfedcb4b72100d4de5d2b5c8c217123a160f80389f789b45cbe3cfb9cef110f7518bb06ed6704bd38086e2684d9b7900e7ed369dc98b8d09a41fb7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\83B.tmp\SetACL32.exe
              Filesize

              443KB

              MD5

              451ae03d3c92777f09840ca56f08ab62

              SHA1

              328d049da1814cfe7d1c7783691304577854482f

              SHA256

              d5e779d151772504662e8226eb4107330ffa7a51209eee42b6d5883d99100ba9

              SHA512

              76772983a5c9c8c703b5e51f8ca9a0d5594121e42afa12adcd2b05753a1f96f97b274cda9b13251e0dca0d31ae6a719b2c509ac581bb34c930ccb00141eb9d42

              Download Submit

            • memory/944-14-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2772-13-0x0000000002E10000-0x0000000002E11000-memory.dmp

              Filesize

              4KB

              Download