Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    72s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2024, 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.1MB

  • MD5

    072932d63a4fdc222735e6f713a514ae

  • SHA1

    cdb200e4c759600e4a83e450fbd67a7682526ea9

  • SHA256

    eb27d4fc56e8a66e9fb47d0b73b752f963855ac169130d55a488709caa466bba

  • SHA512

    c7512594cb7ee7d9d3b3f71ff8931441932473d25561d946f55aface0c704b01a4f7bbbc8fc53b30e1cf1be10030c91186988f0ba6183485037924bb83db8702

  • SSDEEP

    24576:La5ou5FEgQHe/Hlh9dJs3duzm413cig9gUfHSA+U:EouPx/363duzm413cr9gUqZ

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Modifies Windows Firewall 1 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2844
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System\dc.exe
      "C:\Windows\System\dc.exe" /D
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Windows security modification
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1900
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:2200
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:1708
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2484
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:1924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:868
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1304
        • C:\Windows\System\dc.exe
          "C:\Windows\System\dc.exe" /D
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Windows security modification
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          PID:2272
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /RefreshSystemParam
      1⤵
        PID:436
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /RefreshSystemParam
        1⤵
          PID:2724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\brtrodn
          Filesize

          108KB

          MD5

          07232b64be72593980cd952e8f85017e

          SHA1

          61dba57cc51f4501ace3520e2cf559d8e42e04d7

          SHA256

          ef342bcc3c938c2fa9b38bc84019d8dce94d018372f7d9c29a8ee7ff3f0fc3a8

          SHA512

          d5417f270e14fe3437c0d017e037117001377379475531b70f9d6840548dd830117fbf62c152c9af09f586bdf944edac330bc560cca4fa45105269319e7158cb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          228c22ed89a894a8103a50bcc727e6b8

          SHA1

          63f5d0fb8159597af848cadd8885d3e25445ce27

          SHA256

          2684734fd4b56ead9adad039177f0f90764e8444d3ec28a84aa5aca1e75520b7

          SHA512

          8467318719ebfefbc4b89239a4f866c5dbea5b04cf66fa556edfb745404b9f4c1bd9a8abd1b39afa8fa5a372b9e9757fbd7b93a8d36291d9cdd4fd03a3be8bac

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          a548e3a182d431496c3c25049fddd413

          SHA1

          f56250f089732e82e72755aaf0e0d44f6e7bc3ed

          SHA256

          dd973423ce6b065fd0e7b5dbae865776f5920791e431f3f4b4bc550e13fd42da

          SHA512

          98c68829103ba30f566eed9ab253da4b86103db5ea8f4ecf1a2eda0c697ae20b9829676de68f06c0c31358176f801bfd829e36431a68fc079480e7efc562ee4f

          Download Submit

        • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
          Filesize

          160B

          MD5

          58f8eb09a822c09fc11f5a42baae36f1

          SHA1

          9e7063eeee62c8588e0020bef3a116e9379966aa

          SHA256

          6509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a

          SHA512

          53806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e

          Download Submit

        • C:\Windows\System32\GroupPolicy\gpt.ini
          Filesize

          233B

          MD5

          cd4326a6fd01cd3ca77cfd8d0f53821b

          SHA1

          a1030414d1f8e5d5a6e89d5a309921b8920856f9

          SHA256

          1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

          SHA512

          29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

          Download Submit

        • C:\Windows\System\dc.exe
          Filesize

          44KB

          MD5

          a92aebac605644987f13efe616317941

          SHA1

          f1110e7ca344ae804936af94abfe1e720e8bf408

          SHA256

          0e19874d39f70c47ba63d6f2f434952ec0f12454f20ff4ba6ea67df3720c405f

          SHA512

          da0d89dced8f06c7edc6e41f8439a0cae9d5a1d62154c8d14770237efd61e91820435df0bf89371e4b5abb1ffa8e639809b3a2f8f6a4cc3e1c5af09cba726317

          Download Submit

        • C:\Windows\system\dc.exe
          Filesize

          50KB

          MD5

          2bcad11218e525ed71f66a81a386d82c

          SHA1

          6242577f8d697fb7c3e32e1dd17cc7ed511dc736

          SHA256

          0c517c8e3ecb30e3ea46d7e37b2681f5c3cbc11999b2058c8e489e97353fca3f

          SHA512

          238dea5d9d8ffbc3702f817f3a458d9ba1d15e18f165a13577a6051509b27065df1c784e162ebcad34ca53cebfccb916ab968ffb8aaeeb059b7ef6a5a56db3a8

          Download Submit

        • C:\Windows\system\dc.exe
          Filesize

          763KB

          MD5

          0a50081a6cd37aea0945c91de91c5d97

          SHA1

          755309c6d9fa4cd13b6c867cde01cc1e0d415d00

          SHA256

          6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

          SHA512

          f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

          Download Submit

        • C:\Windows\system\svchost.exe
          Filesize

          1.1MB

          MD5

          072932d63a4fdc222735e6f713a514ae

          SHA1

          cdb200e4c759600e4a83e450fbd67a7682526ea9

          SHA256

          eb27d4fc56e8a66e9fb47d0b73b752f963855ac169130d55a488709caa466bba

          SHA512

          c7512594cb7ee7d9d3b3f71ff8931441932473d25561d946f55aface0c704b01a4f7bbbc8fc53b30e1cf1be10030c91186988f0ba6183485037924bb83db8702

          Download Submit

        • memory/868-71-0x000000001B240000-0x000000001B522000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/868-88-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/868-89-0x00000000024A0000-0x0000000002520000-memory.dmp

          Filesize

          512KB

          Download

        • memory/868-78-0x00000000024A0000-0x0000000002520000-memory.dmp

          Filesize

          512KB

          Download

        • memory/868-75-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/868-74-0x00000000024A0000-0x0000000002520000-memory.dmp

          Filesize

          512KB

          Download

        • memory/868-73-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/868-72-0x0000000002460000-0x0000000002468000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1304-86-0x0000000002C94000-0x0000000002C97000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1304-83-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1304-85-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1304-87-0x0000000002C9B000-0x0000000002D02000-memory.dmp

          Filesize

          412KB

          Download

        • memory/1304-90-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1304-84-0x0000000002C90000-0x0000000002D10000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2016-107-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2016-64-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2500-65-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2500-0-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2500-1-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2500-2-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2500-3-0x0000000140000000-0x0000000140218400-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2656-19-0x0000000002890000-0x0000000002910000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2656-17-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2656-27-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2656-24-0x0000000002890000-0x0000000002910000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2656-18-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2656-21-0x0000000002890000-0x0000000002910000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2656-25-0x0000000002890000-0x0000000002910000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2656-20-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2748-15-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2748-16-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2748-14-0x0000000002AA0000-0x0000000002B20000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2748-28-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2748-23-0x0000000002AA0000-0x0000000002B20000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2748-13-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2748-26-0x0000000002AA0000-0x0000000002B20000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2748-22-0x0000000002AA0000-0x0000000002B20000-memory.dmp

          Filesize

          512KB

          Download